Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX EasyVPN site2site - Restrict traffic

Reply
Thread Tools

Cisco PIX EasyVPN site2site - Restrict traffic

 
 
nicough@gmail.com
Guest
Posts: n/a
 
      12-06-2006
Hi everyone.

I have set up the HeadOffice PIX 506E as an EasyVPN Server, config
below.
The RemoteOffice PIX 501 successfuly establishes a VPN connection to
the HeadOffice PIX 506E, and communicates.

The question is, how can I restrict traffic between the networks?

Between the two LAN's, I would like to:
Allow anywhere: dns, rdp3389, ntp, icmp
Allow http from 192.168.1.x to 192.168.10.4
Block all smtp
Block rdp3389 from 192.168.1.x to 192.168.10.5

I am unsure how to order this accesslist, and how to link it into the
PIX 506E config.
I requrie that all of these rules be applied to the HeadOffice PIX506E
(rather than the RemoteOffice PIX501) because the RemoteOffice's will
be scattered around the country and I want to keep them as simple as
possible.

Also, am I correct in saying that once the VPN is established, the
RemoteOffice can connect to the HeadOffice, but HeadOffice can NOT
connect to the RemoteOffice?

Also, is it ok having the following two lines saying "30" and "40"
rather than "10" how they were? I'm not sure if these numbers need to
map to each other, or whether they are just a priority number.
crypto dynamic-map dynmap 40 set transform-set myset
crypto map mymap 30 ipsec-isakmp dynamic dynmap

Any help greatly appreciated.
Nick

Internet
/ \
111.111.111.111 Dynamic Internet IP
ADSL Router ADSL Router
10.0.0.254 192.168.88.254
| |
10.0.0.1 192.168.88.1
PIX 506E PIX 501
192.168.10.254 192.168.1.1
| |
HeadOffice LAN RemoteOffice LAN


PIX Version 6.3(5)
hostname HeadOffice
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0

ip local pool ippool 172.17.1.1-172.17.1.254
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.254 1

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 40 set transform-set myset
crypto map mymap 30 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600

vpngroup MYGROUP address-pool ippool
vpngroup MYGROUP split-tunnel 101
vpngroup MYGROUP idle-time 1800
vpngroup MYGROUP password MyPassword

______

PIX Version 6.3(5)
hostname RemoteOffice
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.88.254 1
sysopt connection permit-ipsec
vpnclient server 111.111.111.111
vpnclient mode network-extension-mode
vpnclient vpngroup MYGROUP password MyPassword
vpnclient enable

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
EasyVPN with two Cisco Pix 501 Hunv Cisco 0 05-20-2010 10:40 PM
site2site ipsec with nat chackamakka Cisco 3 12-23-2005 05:56 PM
Easyvpn Client + Concentrator 3000 Mark Lawrence Cisco 0 03-15-2005 09:29 PM
Can't Route Through Cisco EasyVPN on PIX 506e John Balch Cisco 3 09-24-2004 08:57 PM
Cannot SSH to pix 501 outside interface while using EasyVPN in network-extension-mode Squigs Cisco 3 08-24-2004 10:18 PM



Advertisments