VPN site-to-site with ACL by MAC Address???

aleguedes1983 · ‎10-18-2012

Hi Guys,

I need configure a VPN site-to-site between two offices (Office A e Office B)

The Office A (headquarters) have a Router CIsco 5510 and we have approximately 200 employess

The Office B (branch) dont have any cisco Router but we will buy one ( is a small office, we have aproximadaly 20 guys)

So I need configure a VPN site-to-site using the IPSec (do this is easy), but i need control the computers in the Office B that can access the Office A.

I Think that I can use a acl using the Mac Address to control, but how can I apply a control access List by Mac Address in the VPN site-to-site that is configured using a IPSec?

Is there other form to control the access of the Office B to Office A? We have a big fear for example, a unknow computer connect in the Office B using any mode off access (Ethernet cable, or Wirelless), and this "unwanted" computer access the Office A.

Sorry for my bad English, is not my native language =(

Thank you so much for the help

Marvin Rhoads · ‎10-18-2012

You can't make an access-list with mac addresses. You need to specifiy the ip addresses for the cryptomap access-lsit of the VPN.

You could combine your cryptomap with port-security on the remote office switches and effectvely accomplish your goal. With only 20 remote users, you can define each of their mac addresses via port security.

aleguedes1983 · ‎10-19-2012

Ok, I understand your point of view.

Unfortunately we do not have a person of IT in the Office B, and to make matters worse, this office is across the ocean (I'm in Brazil, and the office is in Hungary).

Can I make these settings in Office of the Switch B remotely? Even through the VPN?

Thank you for your patience, I am new in Cisco settings, but I've been walking very well with the help of the Forum ..

Marvin Rhoads · ‎10-19-2012

An easier solution might be to not do a site-site VPN but rather individual remote access VPN clients for each of the remote users. That way you can control each individual at your end via their account on the ASA or in your RADIUS or Active Directory authentication store (if you use those).

Site-site VPN usually assumes you trust who is in the remote end.

If you wanted to contol the user and what machine they use, you could create certificates that need to be installed remotely. Cisco has an example here.

Karsten Iwen · ‎10-19-2012

One way to achieve something similar is by using an ASA 5505 in the Branch and using EasyVPN with individual User Authentication. With that, each user has to authenticate with user/pw before he can use the tunnel. Not very comfortable, but will work.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

aleguedes1983 · ‎10-19-2012

Hi Guys,

Today I am using this option (Using the VPN client-to-site), but this configuration sometimes is unstable, and is nor very comfortable too.

But I Think other alternative:

I have o small firewall that I not using. It is a PIX 501, my Idea is:

I will configure the VPN site-to-site between the offices using this PIX in my side. After, i will get this PIX and connect it to the my ASA 5510 using a VLAN (I know, the PIX 501 not have support to use VLAN, but my ASA 5510 have).

So, in the my ASA, I will configure a acl by MAC Address to the VLAN that the PIX use to connect.

This ACL will allow only MAC Address that i Know, other unknow MAC Address, will be blocked.

Will work using this configuration?