Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco PIX EasyVPN site2site - Restrict traffic

Thread Tools

Cisco PIX EasyVPN site2site - Restrict traffic
Posts: n/a
Hi everyone.

I have set up the HeadOffice PIX 506E as an EasyVPN Server, config
The RemoteOffice PIX 501 successfuly establishes a VPN connection to
the HeadOffice PIX 506E, and communicates.

The question is, how can I restrict traffic between the networks?

Between the two LAN's, I would like to:
Allow anywhere: dns, rdp3389, ntp, icmp
Allow http from 192.168.1.x to
Block all smtp
Block rdp3389 from 192.168.1.x to

I am unsure how to order this accesslist, and how to link it into the
PIX 506E config.
I requrie that all of these rules be applied to the HeadOffice PIX506E
(rather than the RemoteOffice PIX501) because the RemoteOffice's will
be scattered around the country and I want to keep them as simple as

Also, am I correct in saying that once the VPN is established, the
RemoteOffice can connect to the HeadOffice, but HeadOffice can NOT
connect to the RemoteOffice?

Also, is it ok having the following two lines saying "30" and "40"
rather than "10" how they were? I'm not sure if these numbers need to
map to each other, or whether they are just a priority number.
crypto dynamic-map dynmap 40 set transform-set myset
crypto map mymap 30 ipsec-isakmp dynamic dynmap

Any help greatly appreciated.

/ \ Dynamic Internet IP
ADSL Router ADSL Router
| |
PIX 506E PIX 501
| |
HeadOffice LAN RemoteOffice LAN

PIX Version 6.3(5)
hostname HeadOffice
access-list 101 permit ip
access-list nonat permit ip

ip local pool ippool
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
route outside 1

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 40 set transform-set myset
crypto map mymap 30 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600

vpngroup MYGROUP address-pool ippool
vpngroup MYGROUP split-tunnel 101
vpngroup MYGROUP idle-time 1800
vpngroup MYGROUP password MyPassword


PIX Version 6.3(5)
hostname RemoteOffice
global (outside) 1 interface
nat (inside) 1 0 0
route outside 1
sysopt connection permit-ipsec
vpnclient server
vpnclient mode network-extension-mode
vpnclient vpngroup MYGROUP password MyPassword
vpnclient enable

Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
EasyVPN with two Cisco Pix 501 Hunv Cisco 0 05-20-2010 10:40 PM
site2site ipsec with nat chackamakka Cisco 3 12-23-2005 05:56 PM
Easyvpn Client + Concentrator 3000 Mark Lawrence Cisco 0 03-15-2005 09:29 PM
Can't Route Through Cisco EasyVPN on PIX 506e John Balch Cisco 3 09-24-2004 08:57 PM
Cannot SSH to pix 501 outside interface while using EasyVPN in network-extension-mode Squigs Cisco 3 08-24-2004 10:18 PM