cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
805
Views
0
Helpful
6
Replies

Firewall

benolyndav
Level 4
Level 4

Hello

We currently have a site to site VPN from outside interface 5555x to a 3rd party,  Our staff access services inside their network and they can access some servers on our side through the VPN, My question, Is it possible to allow them through the VPN and out throiugh the Inside interface of the Firewall  into our ISP MPLS network so they can access services in the MPLS Network, if so whats the easiest solution please.

 

Thanks

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

Can you explain more or do you have any diagram which shows the traffic flow which you looking to achieve ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi

Hope this helps thanks for responding

Ofcourse this is possible. You just need to make sure that routing through the MPLS network is correct and add the IP subnet or IP of the network on the other side of the MPLS network as a source in the VPN configuration.  Remote side needs to add the IP as a remote network.

--
Please remember to select a correct answer and rate helpful posts

Hi

Thanks for responding and I'm assuming I also need to add a rule on  FW inside interface as the 3rd party have come in through VPN on outside interface and need routing out through inside interface, ? is that right

No you would not add an access-list rule on the inside interface for this.  It is the crypto ACL configured for the site to site VPN which will regulate what the users are allowed to reach.  If you want to restrict access to a specific port you could also use the VPN filter if you do not have a FW between the site to site VPN FW and the MPLS network.  You do need to make sure that there is routing towards the MPLS network you want the users on the S2S VPN to reach, but I am assuming this is already in place.

--
Please remember to select a correct answer and rate helpful posts

Hi ( thanks for responding)

The site to site VPN Firewall is also the Firewall thats allowing traffic into the ISP MPLS there is only one Firewall, so VPN from 3rd party to Outside Interface of our Firewall the Crypto map does allow them to access some services inside our LAN,   but I want them to go Out to the ISP MPLS Network which is Inside interface to Outside Interface of Firewall. so Im assuming I need an acl for this.???

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: