Cisco PIX EasyVPN site2site - Restrict traffic

Discussion in 'Cisco' started by nicough@gmail.com, Dec 6, 2006.

  1. Guest

    Hi everyone.

    I have set up the HeadOffice PIX 506E as an EasyVPN Server, config
    below.
    The RemoteOffice PIX 501 successfuly establishes a VPN connection to
    the HeadOffice PIX 506E, and communicates.

    The question is, how can I restrict traffic between the networks?

    Between the two LAN's, I would like to:
    Allow anywhere: dns, rdp3389, ntp, icmp
    Allow http from 192.168.1.x to 192.168.10.4
    Block all smtp
    Block rdp3389 from 192.168.1.x to 192.168.10.5

    I am unsure how to order this accesslist, and how to link it into the
    PIX 506E config.
    I requrie that all of these rules be applied to the HeadOffice PIX506E
    (rather than the RemoteOffice PIX501) because the RemoteOffice's will
    be scattered around the country and I want to keep them as simple as
    possible.

    Also, am I correct in saying that once the VPN is established, the
    RemoteOffice can connect to the HeadOffice, but HeadOffice can NOT
    connect to the RemoteOffice?

    Also, is it ok having the following two lines saying "30" and "40"
    rather than "10" how they were? I'm not sure if these numbers need to
    map to each other, or whether they are just a priority number.
    crypto dynamic-map dynmap 40 set transform-set myset
    crypto map mymap 30 ipsec-isakmp dynamic dynmap

    Any help greatly appreciated.
    Nick

    Internet
    / \
    111.111.111.111 Dynamic Internet IP
    ADSL Router ADSL Router
    10.0.0.254 192.168.88.254
    | |
    10.0.0.1 192.168.88.1
    PIX 506E PIX 501
    192.168.10.254 192.168.1.1
    | |
    HeadOffice LAN RemoteOffice LAN


    PIX Version 6.3(5)
    hostname HeadOffice
    access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0
    255.255.255.0

    ip local pool ippool 172.17.1.1-172.17.1.254
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 10.0.0.254 1

    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-aes esp-md5-hmac
    crypto dynamic-map dynmap 40 set transform-set myset
    crypto map mymap 30 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside

    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 3600

    vpngroup MYGROUP address-pool ippool
    vpngroup MYGROUP split-tunnel 101
    vpngroup MYGROUP idle-time 1800
    vpngroup MYGROUP password MyPassword

    ______

    PIX Version 6.3(5)
    hostname RemoteOffice
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 192.168.88.254 1
    sysopt connection permit-ipsec
    vpnclient server 111.111.111.111
    vpnclient mode network-extension-mode
    vpnclient vpngroup MYGROUP password MyPassword
    vpnclient enable
    , Dec 6, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Squigs
    Replies:
    3
    Views:
    3,983
    Squigs
    Aug 24, 2004
  2. John Balch
    Replies:
    3
    Views:
    713
    John Balch
    Sep 24, 2004
  3. chackamakka

    site2site ipsec with nat

    chackamakka, Dec 19, 2005, in forum: Cisco
    Replies:
    3
    Views:
    573
    Walter Roberson
    Dec 23, 2005
  4. tg
    Replies:
    4
    Views:
    858
  5. Hunv
    Replies:
    0
    Views:
    939
Loading...

Share This Page