Link to home
Start Free TrialLog in
Avatar of kskr_networks
kskr_networks

asked on

IPsec Site to site

can we restrict the acces to a specific ports in an IPSec site to site VPN tunnel.

say i want to open only port 445 and 3389 between a site to site VPN.

If yes could someone send the basic config
ASKER CERTIFIED SOLUTION
Avatar of Dan Craciun
Dan Craciun
Flag of Romania image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kskr_networks
kskr_networks

ASKER

Hello Dan,I dint get the below line. could you explain

either forward/NAT those 2 ports
Avatar of Dan Craciun
Dan Craciun
Flag of Romania image
Assuming you have on site A the public IP 1.2.3.4 and a host 192.168.0.50 that you want to RDP into (port 3389) from outside.

Then on site A's router you would port forward port 3389 to 192.168.0.50, so when someone from the Internet types 1.2.3.4:3389, they will reach 192.168.0.50.

http://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/

For routers that use iptables-style config, it's called DNAT.
Avatar of pgolding00
pgolding00
Flag of Australia image
the risk with the offered solution is that anyone on the internet can attempt access, unless there is an access list applied somewhere in restrict the source ip's that can utilise the translation.

to answer the first question, yes. the ipsec definition of encrypted and tunnelled traffic permits that protocol and port can be defined. to achieve this in a cisco environment, the access list used to define vpn traffic would be thus:

ip access-list extended <list name/number> permit tcp <rdp client ip/range> <rdp server ip/range> eq 3389

Open in new window


as an example for tunnelling rdp. other ports and protocols can be added as required.
Avatar of kskr_networks
kskr_networks

ASKER

the second solution looks good to me as we have already this setup running...