?
Solved

Configuring site-to-site using Cisco ASDM

Posted on 2010-08-15
5
Medium Priority
?
510 Views
Last Modified: 2012-05-10
Hi guys,
Please I need to add servers to site-to-site VPN on Cisco ASA 5520, please I have setup my side of site-to-site using ASDM, and I have manage to connect to remote site (Third party), but am struggling adding the servers the third party are allowed to access on our network, i.e. I have 4 servers
172.16.20.X/24
172.16.23.X/24
172.16.24.X/24
172.16.25.X/24
Please I have other servers on the network that has 172.16.x.x, and the third party are not allowed to access them.
And the third part are also allowing us access to 4 of their servers
10.20.16.X/24
10.20.17.X/24
10.20.18.X/24
10.20.16.X/24
Please i will be grateful if you can show me step-by-step process of doing this using ASDM,

Thanks for the anticipated response
0
Comment
Question by:lawrencedada
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33443179
Hi,

please refer this page:

http://www.petenetlive.com/KB/Article/0000072.htm

Best regards,
Istvan
0
 

Author Comment

by:lawrencedada
ID: 33451367
Thanks ikalmar, as i said in the post, i have configured the site-to-site, what i want to know is how to allow an external third parties access resources in our network,  I may be wrong, does that not involves
•      creating network object group,
•      creating access list that permit/deny that group from what they are allowed/not allowed on the network
I have an idea of what I want to do it, only that I  am not very sure of how to go about it.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33451901
please show the whole config
0
 

Accepted Solution

by:
lawrencedada earned 0 total points
ID: 33461220
Thanks ikalmar,
Am sorry it is not feasible to upload the config on this ASA, it so big it will take me the whole day to edit and screen all sensitive information on it, my opinion is that for what I was asking, you may not need the config to get it done.
Well I managed to figure it out, to allow a particular server of or subnet or vlan, you need to click on NETWORK OBJECT GROUP, and just add it, and to complete it  you need to use access list tab residing within firewall  area of ASDM, and just allow both in and out.

Yes I have completed this, and up to this time the point will not be awarded, but am waiting for the remote site guy to complete his own side of the VPN config, I will wait and see if there is any other question/s I may ask to deserve the point be awarded, if you don’t mind I will leave the problem opened and ask any question that may comes up.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 33470614
you can try adding an access list on your ASA.

prevent third-party access to your nework EXCEPT the 4servers.
ip access-list extended 3prty_to_internal
permit ip <source x.x.x.x place subnet of third party> mask 172.16.20.x 0.0.0.0
permit ip <source x.x.x.x place subnet of third party> mask 172.16.23.x 0.0.0.0
permit ip <source x.x.x.x place subnet of third party> mask 172.16.24.x 0.0.0.0
permit ip <source x.x.x.x place subnet of third party> mask 172.16.25.x 0.0.0.0
deny any any (this is implicitly denied, but best practice to put to see denied counter)

then apply the access list to the appropriate interface

hope it helps :-)

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question