asked on
How to apply an access-list to a vpn site to site tunnel on PIX/ASA 8
Hi,
I'm trying to control access between two networks that have a site 2 site vpn connection in between...
Because of active directory problems in the branch office, i want only http and ssh to be allowed over the tunnel to the main office. The main office may access the branch office in full if needed. (maybe blocked also)
How can i apply these? I tried several things, but nothing worked as it should.
I also tried to deny all crypto traffic with outside_1_cryptomap and then allow other traffic, but that didn't work either..
Our main office uses Pix 515 - 8.04 and our branch office uses a Pix 505 with 6.4
Thnx in advance
I'm trying to control access between two networks that have a site 2 site vpn connection in between...
Because of active directory problems in the branch office, i want only http and ssh to be allowed over the tunnel to the main office. The main office may access the branch office in full if needed. (maybe blocked also)
How can i apply these? I tried several things, but nothing worked as it should.
I also tried to deny all crypto traffic with outside_1_cryptomap and then allow other traffic, but that didn't work either..
Our main office uses Pix 515 - 8.04 and our branch office uses a Pix 505 with 6.4
Thnx in advance
name 192.168.1.0 LAN_BRANCH
name 192.168.0.0 LAN_MAIN
access-list inside_outbound_nat0_acl extended permit ip any 10.254.254.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_out extended permit tcp any host XXX.XXX.XXX.195 eq https
access-list acl_out extended permit tcp any host XXX.XXX.XXX.196 eq www inactive
access-list acl_out extended permit tcp any host XXX.XXX.XXX.195 eq smtp
access-list DMZ_outbound_nat0_acl extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 195.121.6.52
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 195.121.6.51
access-list inside_access_in extended permit tcp host 192.168.0.15 any eq smtp
access-list inside_access_in extended deny tcp 192.168.0.0 255.255.255.0 any eq smtp log alerts
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool vpnclient 10.254.254.1-10.254.254.254
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
nat-control
global (outside) 10 interface
global (DMZ) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.0.0 255.255.255.0
nat (inside) 0 192.168.0.0 255.255.255.0 outside
nat (DMZ) 10 10.1.1.0 255.255.255.0
static (DMZ,outside) XXX.XXX.191.196 10.1.1.10 netmask 255.255.255.255 dns
static (inside,outside) XXX..XXX.191.195 192.168.0.15 netmask 255.255.255.255 dns
access-group acl_out in interface outside
access-group inside_access_in in interface inside
/* removed some */
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map_1 20 set security-association lifetime kilobytes 4608000
SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer XXX.XXX.137.98
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
Software FirewallsCisco
Last Comment
Rick