Currently my L2L VPN gives access to the entire subnet o

I have a L2L VPN Tunnel configured between a Main Office and a branch office.  My Main Office is on the (10.1.0.0/16) network, and the branch office is on the 172.18.0.0/16) network.  Right now the access-list on the VPN grants access to the entire subnet.  I need to change this so the branch office only has access to one server (1 IP address) instead on the entire lan at the Main Office.  Below is the relevant portions of the VPN Config:
MAIN OFFICE
crypto map vpn_map 10 ipsec-isakmp
 description To Remote office
 set peer x.x.x.97
 set transform-set to_VPN
 match address 126
access-list 126 permit ip 10.1.0.0 0.0.255.255 172.18.0.0 0.0.255.255

REMOTE OFFICE:
crypto map SDM_CMAP_1 0 ipsec-isakmp
 description To_MAIN OFFICE
 set peer x.x.x.41
 set transform-set to_VPN
 match address 112

access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.0 0.0.255.255

The remote office has access to the entire 10.1.0.0 network.  I only want them to be able to access one IP address (10.1.0.90).  Can I just change the access-list to "access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.90 255.255.255.255"?  Will this work and only give access to this server and nothing else?  Thanks.



LVL 1
Crossroads305Asked:
Who is Participating?
 
Istvan KalmarHead of IT Security Division Commented:
yes, if you ping an address that belongs to othet side the tunnel coming up

the acl seems good.


goof luck...

and don!t forget to cleart isakmp on otherside!!
0
 
Istvan KalmarHead of IT Security Division Commented:
yes, it is enough, before you test it please 'clear cry isa' on boot routers!

Best regards,
Istvan
0
 
Istvan KalmarHead of IT Security Division Commented:
please change the acl on boot sides, always use mirrored acl.....
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Crossroads305Author Commented:
Thanks.  On the Main office router on have 8 L2L VPN's configured.  If I do a 'clear cry isa' will all VPN's configured on that router drop for a moment?
0
 
Istvan KalmarHead of IT Security Division Commented:
ok you able only ona tunnels to drop if you know the tunnel number:

sh cry isa sa....

and you able to delete only this:
clear cry isa x
0
 
Crossroads305Author Commented:
If I do a 'sh cry isa sa' I get the following: Do I clear it by conn-id?  (clear cry isa 411)  Thanks.
ROUTER#show crypto isakmp sa
dst         src                 state             conn-id  slot
x.x.x.97  x.x.x.41     QM_IDLE            411        0
x.x.x.97  x.x.x.33     QM_IDLE            410        0
x.x.x.97  x.x.x.35     QM_IDLE            409        0
0
 
Istvan KalmarHead of IT Security Division Commented:
yes if it is that you want...
0
 
Crossroads305Author Commented:
Yes, I want to get rid of the VPN with conn-id 411.  Just to recap I am going to change my access-list at my main office to look like this:
access-list 126 permit ip 10.1.0.90 255.255.255.255 172.18.0.0 0.0.255.255

I will change the access-list at my Remote office to like like this:
access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.90 255.255.255.255

I will then do a "clear cry isa 411"
I will verify conn-id on other side and do the same thing

After doing this the remote office should only have access to the 10.1.0.90 over the VPN.  Does this all look correct?  Thanks.





0
 
Crossroads305Author Commented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.