Hi, I'm trying to configure a LAN-to-LAN VPN on a Cisco VPN 3020, I need to configure it so that the access to the local and remote networks is restricted to 3389 only when Phase 2 is negotiated, e.g Source (Local network) 10.1.1.1 Dest (Remote Network) 10.2.2.2 tcp 3389.
I believe this need to be setup via filters but can't find any similar configuration examples, has anyone configured a similar set up or can confirm the correct was this should be configured?
I believe what you want to do is create rules, which can then be applied to filters, which can in turn be applied to groups. If you only have one group then the filter is applied to the base group.
The rules are fairly straight forward, set source & destination IPs and ports then tell the system to drop or forward matches to that rule.
Rules configuration is accessed through policy management, then traffic management in the submenu.
the 3 steps are
create filters, apply rules to filters
apply filters to groups.
That's great I'll give it go, do you know if the filters are used during phase 2 negotiation? The issues i have is a 3rd Party Firewall, the remote end of the VPN, has the local/remote networks ties down to a port and phase 2 is failing because of this so I need to ensure they're being sent during phase 2 negotiations.
Thanks for your reply.
Honestly, I don;t think so. I think the rules and filters as I have described them to you will work as an ACL applied to a proxy ID of 0.0.0.0/0:0
I've never tried it the way you're suggesting, but there is an option in the rules where instead of 'drop' or 'pass' you can use apply IPSec.
I think that's your best bet.
Have the far end set up logging or debug when you try to connect and they should be able to tell you what proxy ID you are supplying when you try to connect, which will in turn tell you if you're on the right track.
You may even be able to tell from the logging on the 3020 as well, so it's worth looking there too.
I've tried applying the filter and the VPN still won't come up, it fails at phase two still, with the port blocking removed at the remote end it works ok. Anyone know of any cisco docs which advise if this is supported or not?
It may not describe exactly what you are doing, but it has a good troubleshooting section and describes how you can turn on debugging for IKE on the concentrator. This *should* help you to isolate exactly what is causing the failure.
Post the debug results you get.