cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
725
Views
0
Helpful
2
Replies

ASA VPN Site to Site

rabih_saleh
Beginner
Beginner

Hello,

I would like to do VPN site to site using ASA 5520 and i have a few question if you don't mind :

Site A:

Peer IP address: aaa.aaa.aaa.aaa/32

Local Network: bbb.bbb.bbb.bbb/32

Site B:

Peer IP Address: xxx.xxx.xxx.xxx/32

Local network: yyy.yyy.yyy.yyy/32

on  the wizard site to site vpn (site B) the peer network should be the  site A and the local network should be the site B and remote network  should be the site A right ?

the local network IP  address should be not be used right by another devices right ? i can use  use a single IP address instead of network range on local and remote  network ? since the customer on site A provide me a single IP address ?

can  i allow on site A to browse only a single IP address on my site B and  allowing only ports 80 and 443, please can you provide me example i  prefer ASDM .

Thanks and waiting for your help.

2 Accepted Solutions

Accepted Solutions

Jouni Forss
Mentor
Mentor

Hi,

I can only really give an example of this using the CLI (or I rather do that as I dont use ASDM almost at all)

Do you have any already existing L2L / Site to Site VPN connections on the ASA?

Could you share your current configuration (Remove any sensitive information) so we can take into consideration any existing configurations you have

Have you agreed on what the L2L VPN Phase1 and Phase2 parameters will be with the other sites technical contact that is going to configure their side of the L2L VPN?

- Jouni

View solution in original post

jesmuril
Beginner
Beginner

Hi,

Yes, you may configure only one host to communicate across the VPN tunnel, and you may define which ports to allow, specifying which are going to be the source and destination ports within their proper hosts.

access-list site-A permit tcp host   eq 80 host

access-list site-A permit tcp host   eq 443 host

access-list site-B permit tcp host host eq 80

access-list site-B permit tcp host host eq 443

So we are saying that host-B is going to access host-A on port 80 and 443.

or as well you may configure a VPN filter:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope this information becomes handy.

Cheers,

Jessica Murillo

Cisco TAC VPN engineer

*** Please rate the post if it was helpful

View solution in original post

2 Replies 2

Jouni Forss
Mentor
Mentor

Hi,

I can only really give an example of this using the CLI (or I rather do that as I dont use ASDM almost at all)

Do you have any already existing L2L / Site to Site VPN connections on the ASA?

Could you share your current configuration (Remove any sensitive information) so we can take into consideration any existing configurations you have

Have you agreed on what the L2L VPN Phase1 and Phase2 parameters will be with the other sites technical contact that is going to configure their side of the L2L VPN?

- Jouni

jesmuril
Beginner
Beginner

Hi,

Yes, you may configure only one host to communicate across the VPN tunnel, and you may define which ports to allow, specifying which are going to be the source and destination ports within their proper hosts.

access-list site-A permit tcp host   eq 80 host

access-list site-A permit tcp host   eq 443 host

access-list site-B permit tcp host host eq 80

access-list site-B permit tcp host host eq 443

So we are saying that host-B is going to access host-A on port 80 and 443.

or as well you may configure a VPN filter:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope this information becomes handy.

Cheers,

Jessica Murillo

Cisco TAC VPN engineer

*** Please rate the post if it was helpful

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers