We currently have a site to site VPN from outside interface 5555x to a 3rd party, Our staff access services inside their network and they can access some servers on our side through the VPN, My question, Is it possible to allow them through the VPN and out throiugh the Inside interface of the Firewall into our ISP MPLS network so they can access services in the MPLS Network, if so whats the easiest solution please.
Ofcourse this is possible. You just need to make sure that routing through the MPLS network is correct and add the IP subnet or IP of the network on the other side of the MPLS network as a source in the VPN configuration. Remote side needs to add the IP as a remote network.
Thanks for responding and I'm assuming I also need to add a rule on FW inside interface as the 3rd party have come in through VPN on outside interface and need routing out through inside interface, ? is that right
No you would not add an access-list rule on the inside interface for this. It is the crypto ACL configured for the site to site VPN which will regulate what the users are allowed to reach. If you want to restrict access to a specific port you could also use the VPN filter if you do not have a FW between the site to site VPN FW and the MPLS network. You do need to make sure that there is routing towards the MPLS network you want the users on the S2S VPN to reach, but I am assuming this is already in place.
Hi ( thanks for responding)
The site to site VPN Firewall is also the Firewall thats allowing traffic into the ISP MPLS there is only one Firewall, so VPN from 3rd party to Outside Interface of our Firewall the Crypto map does allow them to access some services inside our LAN, but I want them to go Out to the ISP MPLS Network which is Inside interface to Outside Interface of Firewall. so Im assuming I need an acl for this.???