Crossroads305
asked on
Currently my L2L VPN gives access to the entire subnet o
I have a L2L VPN Tunnel configured between a Main Office and a branch office. My Main Office is on the (10.1.0.0/16) network, and the branch office is on the 172.18.0.0/16) network. Right now the access-list on the VPN grants access to the entire subnet. I need to change this so the branch office only has access to one server (1 IP address) instead on the entire lan at the Main Office. Below is the relevant portions of the VPN Config:
MAIN OFFICE
crypto map vpn_map 10 ipsec-isakmp
description To Remote office
set peer x.x.x.97
set transform-set to_VPN
match address 126
access-list 126 permit ip 10.1.0.0 0.0.255.255 172.18.0.0 0.0.255.255
REMOTE OFFICE:
crypto map SDM_CMAP_1 0 ipsec-isakmp
description To_MAIN OFFICE
set peer x.x.x.41
set transform-set to_VPN
match address 112
access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.0 0.0.255.255
The remote office has access to the entire 10.1.0.0 network. I only want them to be able to access one IP address (10.1.0.90). Can I just change the access-list to "access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.90 255.255.255.255"? Will this work and only give access to this server and nothing else? Thanks.
MAIN OFFICE
crypto map vpn_map 10 ipsec-isakmp
description To Remote office
set peer x.x.x.97
set transform-set to_VPN
match address 126
access-list 126 permit ip 10.1.0.0 0.0.255.255 172.18.0.0 0.0.255.255
REMOTE OFFICE:
crypto map SDM_CMAP_1 0 ipsec-isakmp
description To_MAIN OFFICE
set peer x.x.x.41
set transform-set to_VPN
match address 112
access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.0 0.0.255.255
The remote office has access to the entire 10.1.0.0 network. I only want them to be able to access one IP address (10.1.0.90). Can I just change the access-list to "access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.90 255.255.255.255"? Will this work and only give access to this server and nothing else? Thanks.
please change the acl on boot sides, always use mirrored acl.....
ASKER
Thanks. On the Main office router on have 8 L2L VPN's configured. If I do a 'clear cry isa' will all VPN's configured on that router drop for a moment?
ok you able only ona tunnels to drop if you know the tunnel number:
sh cry isa sa....
and you able to delete only this:
clear cry isa x
sh cry isa sa....
and you able to delete only this:
clear cry isa x
ASKER
If I do a 'sh cry isa sa' I get the following: Do I clear it by conn-id? (clear cry isa 411) Thanks.
ROUTER#show crypto isakmp sa
dst src state conn-id slot
x.x.x.97 x.x.x.41 QM_IDLE 411 0
x.x.x.97 x.x.x.33 QM_IDLE 410 0
x.x.x.97 x.x.x.35 QM_IDLE 409 0
ROUTER#show crypto isakmp sa
dst src state conn-id slot
x.x.x.97 x.x.x.41 QM_IDLE 411 0
x.x.x.97 x.x.x.33 QM_IDLE 410 0
x.x.x.97 x.x.x.35 QM_IDLE 409 0
yes if it is that you want...
ASKER
Yes, I want to get rid of the VPN with conn-id 411. Just to recap I am going to change my access-list at my main office to look like this:
access-list 126 permit ip 10.1.0.90 255.255.255.255 172.18.0.0 0.0.255.255
I will change the access-list at my Remote office to like like this:
access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.90 255.255.255.255
I will then do a "clear cry isa 411"
I will verify conn-id on other side and do the same thing
After doing this the remote office should only have access to the 10.1.0.90 over the VPN. Does this all look correct? Thanks.
access-list 126 permit ip 10.1.0.90 255.255.255.255 172.18.0.0 0.0.255.255
I will change the access-list at my Remote office to like like this:
access-list 112 permit ip 172.18.0.0 0.0.255.255 10.1.0.90 255.255.255.255
I will then do a "clear cry isa 411"
I will verify conn-id on other side and do the same thing
After doing this the remote office should only have access to the 10.1.0.90 over the VPN. Does this all look correct? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.
Best regards,
Istvan