Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1196
Views
0
Helpful
5
Replies

Blocking remote network - site-to-site vpn

Go to solution
Lentini32
Level 1
Level 1

‎06-28-2011 02:27 PM

Hello,

I have a site-to-site VPN already established, everything is working as it should.  I'm trying to block the remote network from accessing our network since we only need to access theirs.  I'm sure this is something very easy to implement with an ACL but I'm not sure where this rule needs to go. The VPN is on ASA 5505. 

Example:

Site A - Local Network - 1.1.1.0/24

Site B - Remote Network - 2.2.2.0/24 - want to block this network from access local

Any help or guidance would be appreciated.


Thanks in advance,

-j

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-29-2011 12:53 AM

You are right.. ACL is the easiest way to go.

You can configure ACL in the outbound direction of the internal interface as follows:

access-list inside-acl-out deny ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list inside-acl-out permit ip any any

access-group inside-acl-out out interface

With the above ACL, it will block all traffic originating from the remote VPN network outbound towards the internal interface while allowing everything else (eg: originated from other interfaces of the ASA) to originate connection towards the internal network.

Hope this helps.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-29-2011 12:53 AM

You are right.. ACL is the easiest way to go.

You can configure ACL in the outbound direction of the internal interface as follows:

access-list inside-acl-out deny ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list inside-acl-out permit ip any any

access-group inside-acl-out out interface

With the above ACL, it will block all traffic originating from the remote VPN network outbound towards the internal interface while allowing everything else (eg: originated from other interfaces of the ASA) to originate connection towards the internal network.

Hope this helps.

0 Helpful

Go to solution
Lentini32
Level 1
Level 1
In response to Jennifer Halim

‎06-29-2011 07:03 AM

Jennifer,

Thank you very much for the detailed reply.  I'll give it a try.

Again, thanks.

-j

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Lentini32

‎06-29-2011 09:22 PM

Cheers, let us know how it goes.

0 Helpful

Go to solution
Lentini32
Level 1
Level 1
In response to Jennifer Halim

‎06-30-2011 10:26 AM

Looking good so far =)  Thank you!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Lentini32

‎06-30-2011 03:44 PM

Excellent, thanks for the update. Please kindly mark the post as answered so others can learn from your post. Thank you.

0 Helpful
Customers Also Viewed These Support Documents