We help IT Professionals succeed at work.

Site to site tunnel (host to host )

WERAracer
WERAracer asked
on
Is there a way to allow a small group of hosts access via an IPSEC tunnel, instead of the entire subnet?

Two Cisco ASAs have a tunnel, network to network (172.16.0.0/24 to 192.168.0.0/24)
I need to scale it down so 172.16.0.0/24 has full access to 192.168.0.0/24, but 192.168.0.0/24 only has access to a few machines.

What is the easiest way to do this?

Thanks
Comment
Watch Question

Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Remember that all connections are bi-directional. If you block access so that only a few machines on the 192.168.0.0 network can talk to the 172.16.0.0 network, then the reverse will also be true, that only those select few hosts on the 172.16.0.0 network can talk to any of the 192.168.0.0 hosts.
Example:
permit ip 192.168.0.0 255.255.255.0 host 172.16.0.100
permit ip 192.168.0.0 255.255.255.0 host 172.16.0.102
deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
permit ip any any

Only the two designated hosts can talk to any host on the 19.168.0.0 network. The acl will block any replies to requests generated from the 172.16.0.0 network. Since we're not explicitly blocking traffic from 172.16.0.0, we are effectively blocking all replies from the 192.168.0.0 network, except for replies to anything originated only on those two hosts.

Author

Commented:
Gotcha.  Now do I still use the " sysopt permit ipsec" command in this case?  I just want to make sure we're talking about the same kind of ACLs. I normally issue the "sysopt permit ipsec" command and don't rely on ACLs, other than to define interesting traffic

access-list ipsec extended permit ip 192.168.0.0   255.255.255.0   host 172.16.0.100
access-list ipsec extended permit ip 192.168.0.0  255.255.255.0 host 172.16.0.102
access-list ipsec extended deny   ip  192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list ipsec permit ip any any

crypto map mymap 10 match address ipsec

Is that the same as what you're doing? Or are you applying your ACL to an interface?

Thanks!
Sr. Systems Engineer
Top Expert 2008
Commented:
Actually I try to keep it simple and just apply the acl to the inside interface, closest to where you want to block traffic.

i.e. keep the ipsec acl simple:
access-list ipsec permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
crypto map mymap 10 match address ipsec
access-list no-nat permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
nat (inside) 0 access-list no-nat

access-list restrict_outbound permit ip 192.168.0.0 255.255.255.0 host 172.16.0.100
access-list restrict_outbound permit ip 192.168.0.0 255.255.255.0 host 172.16.0.102
access-list restrict_outbound deny ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list restrict_outbound permit ip any any
access-group restrict_outbound in interface inside

This makes it easier to add/remove access to individual hosts without breaking the vpn tunnel or having to change acls on both ends of the vpn.

The sysopt command only affects traffic in through the outside interface, so you can still use it for the basic vpn tunnel.

Author

Commented:
you are the man. Thank you!