?
Solved

Currently my L2L VPN gives access to the entire subnet o

Posted on 2010-01-05
9
Medium Priority
?
286 Views
Last Modified: 2012-05-08
I have a L2L VPN Tunnel configured between a Main Office and a branch office.  My Main Office is on the (10.1.0.0/16) network, and the branch office is on the 172.18.0.0/16) network.  Right now the access-list on the VPN grants access to the entire subnet.  I need to change this so the branch office only has access to one server (1 IP address) instead on the entire lan at the Main Office.  Below is the relevant portions of the VPN Config:
MAIN OFFICE
crypto map vpn_map 10 ipsec-isakmp
 description To Remote office
 set peer x.x.x.97
 set transform-set to_VPN
 match address 126
access-list 126 permit ip 10.1.0.0 0.0.255.255 172.18.0.0 0.0.255.255

REMOTE OFFICE:
crypto map SDM_CMAP_1 0 ipsec-isakmp
 description To_MAIN OFFICE
 set peer x.x.x.41
 set transform-set to_VPN
 match address 112

access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.0 0.0.255.255

The remote office has access to the entire 10.1.0.0 network.  I only want them to be able to access one IP address (10.1.0.90).  Can I just change the access-list to "access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.90 255.255.255.255"?  Will this work and only give access to this server and nothing else?  Thanks.



0
Comment
Question by:Crossroads305
  • 5
  • 4
9 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26184140
yes, it is enough, before you test it please 'clear cry isa' on boot routers!

Best regards,
Istvan
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26184152
please change the acl on boot sides, always use mirrored acl.....
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 26184211
Thanks.  On the Main office router on have 8 L2L VPN's configured.  If I do a 'clear cry isa' will all VPN's configured on that router drop for a moment?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26184240
ok you able only ona tunnels to drop if you know the tunnel number:

sh cry isa sa....

and you able to delete only this:
clear cry isa x
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 26184324
If I do a 'sh cry isa sa' I get the following: Do I clear it by conn-id?  (clear cry isa 411)  Thanks.
ROUTER#show crypto isakmp sa
dst         src                 state             conn-id  slot
x.x.x.97  x.x.x.41     QM_IDLE            411        0
x.x.x.97  x.x.x.33     QM_IDLE            410        0
x.x.x.97  x.x.x.35     QM_IDLE            409        0
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26184352
yes if it is that you want...
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 26184451
Yes, I want to get rid of the VPN with conn-id 411.  Just to recap I am going to change my access-list at my main office to look like this:
access-list 126 permit ip 10.1.0.90 255.255.255.255 172.18.0.0 0.0.255.255

I will change the access-list at my Remote office to like like this:
access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.90 255.255.255.255

I will then do a "clear cry isa 411"
I will verify conn-id on other side and do the same thing

After doing this the remote office should only have access to the 10.1.0.90 over the VPN.  Does this all look correct?  Thanks.





0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 2000 total points
ID: 26184493
yes, if you ping an address that belongs to othet side the tunnel coming up

the acl seems good.


goof luck...

and don!t forget to cleart isakmp on otherside!!
0
 
LVL 1

Author Closing Comment

by:Crossroads305
ID: 31673138
Thanks.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question