01-15-2007 12:18 PM - edited 03-11-2019 02:19 AM
I have the following problem:
I have a vpn that I need to set up with a remote office. The purpouse of this VPN is to be able to support the servers and PCs at the remote office, so the main office needs access to the whole IP range (ie. 192.168.0.0 255.255.255.0). Now while I want to be able to have full access from the main office to the remote office, I don't want the remote office to be able to access any of the machines at the main office.
My question is then, can I restrict the VPN traffic to only one way? If I have an outside_cryptomap_# access-list set up to allow the traffic over the VPN, can I then restrict it further by adding a deny in my outside_access_in access-list, or does it just skip those all together?
01-15-2007 12:22 PM
To update...
The devices that will be terminating the VPN will be PIX 515s software version 7.1(1). I need to be able to restrict with commands on the main office PIX because the remote office PIX is accessible by other technicians.
01-15-2007 12:24 PM
The only way I have heard of ACL'ing VPN traffic on the same box as the VPN end point is to use a loopback interface and PBR. I've never done it though. A firewall of course could take care of it for you. Hopefully if there is a better way someone will post it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide