I have an ipsec tunnel built from our datacenter to a test asa. this will be for an ipsec tunnel we eventually put in production to a company we recently acquired. MGT wants to limit the access of this tunnel to only certain services (ie.ports) on certain ips. For example this new company will access the call mgr at our datacenter but will only have access to the necessary ports/services to register their mgcp gateways and their voip phones.
I think with the vpn it bypasses all access lists and if I uncheck the box “bypass interface access lists for inbound sessions” I think I’m going to force myself to have to create access lists for the anyconnect client as well which could be a bit of a pain?
What’s the best way to do this? I was wondering about maybe natting and changing the nat rules to only nat certain ports but so far that hasn’t worked. I also looked at the crypto map and played around with the source and destination ports thinking that i could make it so that i'm only protecting (encrypting) the ports i want open. but that hasn't worked either. Just curious what would be the best solution to accomplish this? thanks for your input.