10-11-2018 11:08 PM - edited 02-21-2020 08:20 AM
Hello
We currently have a site to site VPN from outside interface 5555x to a 3rd party, Our staff access services inside their network and they can access some servers on our side through the VPN, My question, Is it possible to allow them through the VPN and out throiugh the Inside interface of the Firewall into our ISP MPLS network so they can access services in the MPLS Network, if so whats the easiest solution please.
Thanks
10-12-2018 03:03 AM
Can you explain more or do you have any diagram which shows the traffic flow which you looking to achieve ?
10-12-2018 01:09 PM
10-12-2018 02:04 PM
Ofcourse this is possible. You just need to make sure that routing through the MPLS network is correct and add the IP subnet or IP of the network on the other side of the MPLS network as a source in the VPN configuration. Remote side needs to add the IP as a remote network.
10-12-2018 02:41 PM
Hi
Thanks for responding and I'm assuming I also need to add a rule on FW inside interface as the 3rd party have come in through VPN on outside interface and need routing out through inside interface, ? is that right
10-15-2018 10:26 AM
No you would not add an access-list rule on the inside interface for this. It is the crypto ACL configured for the site to site VPN which will regulate what the users are allowed to reach. If you want to restrict access to a specific port you could also use the VPN filter if you do not have a FW between the site to site VPN FW and the MPLS network. You do need to make sure that there is routing towards the MPLS network you want the users on the S2S VPN to reach, but I am assuming this is already in place.
10-15-2018 01:25 PM
Hi ( thanks for responding)
The site to site VPN Firewall is also the Firewall thats allowing traffic into the ISP MPLS there is only one Firewall, so VPN from 3rd party to Outside Interface of our Firewall the Crypto map does allow them to access some services inside our LAN, but I want them to go Out to the ISP MPLS Network which is Inside interface to Outside Interface of Firewall. so Im assuming I need an acl for this.???
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide