Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
1
Replies

Issues accessing remote network over Site-To-Site VPN

ngthen
Level 1
Level 1

‎09-15-2011 08:27 AM

I have a PIX 515 and am working with a Site-to-Site VPN.  When I do not specify a filter on the Group Policy I can successfully access the remote network and the remote network can access my local network.  However this by itself poses a securty risk for my local servers.  I need to be able to access the remote network fully, however only one or two workstations on the remote network need to access mine.

If I add access-list vpn-remote-site extended permit ip host remote-wkstn1 any then only the remote workstation can access my remote network.  This gets me a step closer as now only the remote workstation can access my network effectively denying everything else.  However, from my local network I can now only access the remote workstation and not all of the other devices.

Is there is anyway around this?  I do not have any control over the remote firewall and would like to make sure it is secured on my end.

Labels:
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎09-15-2011 02:21 PM

Hi,

I was thinking you can accomplish this by using vpn filters some example in this link

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

However, on a second thought   you could policy NAT the outgoing traffic  and use for example 1 IP address  in your (global) interface  to  use it sort of  as a PAT address if you will   and have ALL your internal networks PAted with 1  pre-defined IP to talk to any destination network at the far end of the tunnel, this  will be a one direction traffic only initiated by your end, in turn  the far end network will not be able to initiate any traffic to the global PAT address.  If I have time I will give you example later.

As for     them connecting to specific hosts on your network over the same tunnel  then  add one of more acl with nonat excempt rules on the same encryption domain acl  for them to access the only  hosts you want them to connect to .

Regards

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents