Issues accessing remote network over Site-To-Site VPN
I have a PIX 515 and am working with a Site-to-Site VPN. When I do not specify a filter on the Group Policy I can successfully access the remote network and the remote network can access my local network. However this by itself poses a securty risk for my local servers. I need to be able to access the remote network fully, however only one or two workstations on the remote network need to access mine.
If I add access-list vpn-remote-site extended permit ip host remote-wkstn1 any then only the remote workstation can access my remote network. This gets me a step closer as now only the remote workstation can access my network effectively denying everything else. However, from my local network I can now only access the remote workstation and not all of the other devices.
Is there is anyway around this? I do not have any control over the remote firewall and would like to make sure it is secured on my end.
However, on a second thought you could policy NAT the outgoing traffic and use for example 1 IP address in your (global) interface to use it sort of as a PAT address if you will and have ALL your internal networks PAted with 1 pre-defined IP to talk to any destination network at the far end of the tunnel, this will be a one direction traffic only initiated by your end, in turn the far end network will not be able to initiate any traffic to the global PAT address. If I have time I will give you example later.
As for them connecting to specific hosts on your network over the same tunnel then add one of more acl with nonat excempt rules on the same encryption domain acl for them to access the only hosts you want them to connect to .
Learn about the rapidly evolving cyberthreat landscape and how both organizations and users can protect themselves as we transition to a forever hybrid world through a conversation with Cisco Talos Security Research Leader for Europe, Middle East, Africa,...
When we said the word “hybrid” in the past, it usually recalled the image of a new variety of plant or maybe an electric car. These days, it applies to the workplace too.
The future of work isn’t “changing” to a h...
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q...
Cisco Secure Endpoint
New packages fit for every organization
Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view wit...