kskr_networks
asked on
IPsec Site to site
can we restrict the acces to a specific ports in an IPSec site to site VPN tunnel.
say i want to open only port 445 and 3389 between a site to site VPN.
If yes could someone send the basic config
say i want to open only port 445 and 3389 between a site to site VPN.
If yes could someone send the basic config
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Assuming you have on site A the public IP 1.2.3.4 and a host 192.168.0.50 that you want to RDP into (port 3389) from outside.
Then on site A's router you would port forward port 3389 to 192.168.0.50, so when someone from the Internet types 1.2.3.4:3389, they will reach 192.168.0.50.
http://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/
For routers that use iptables-style config, it's called DNAT.
Then on site A's router you would port forward port 3389 to 192.168.0.50, so when someone from the Internet types 1.2.3.4:3389, they will reach 192.168.0.50.
http://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/
For routers that use iptables-style config, it's called DNAT.
the risk with the offered solution is that anyone on the internet can attempt access, unless there is an access list applied somewhere in restrict the source ip's that can utilise the translation.
to answer the first question, yes. the ipsec definition of encrypted and tunnelled traffic permits that protocol and port can be defined. to achieve this in a cisco environment, the access list used to define vpn traffic would be thus:
as an example for tunnelling rdp. other ports and protocols can be added as required.
to answer the first question, yes. the ipsec definition of encrypted and tunnelled traffic permits that protocol and port can be defined. to achieve this in a cisco environment, the access list used to define vpn traffic would be thus:
ip access-list extended <list name/number> permit tcp <rdp client ip/range> <rdp server ip/range> eq 3389
as an example for tunnelling rdp. other ports and protocols can be added as required.
ASKER
the second solution looks good to me as we have already this setup running...
ASKER
either forward/NAT those 2 ports