Cisco PIX EasyVPN site2site - Restrict traffic|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||
|
Posted by on December 6, 2006, 6:33 am
Please log in for more thread options
I have set up the HeadOffice PIX 506E as an EasyVPN Server, config below. The RemoteOffice PIX 501 successfuly establishes a VPN connection to the HeadOffice PIX 506E, and communicates. The question is, how can I restrict traffic between the networks? Between the two LAN's, I would like to: Allow anywhere: dns, rdp3389, ntp, icmp Allow http from 192.168.1.x to 192.168.10.4 Block all smtp Block rdp3389 from 192.168.1.x to 192.168.10.5 I am unsure how to order this accesslist, and how to link it into the PIX 506E config. I requrie that all of these rules be applied to the HeadOffice PIX506E (rather than the RemoteOffice PIX501) because the RemoteOffice's will be scattered around the country and I want to keep them as simple as possible. Also, am I correct in saying that once the VPN is established, the RemoteOffice can connect to the HeadOffice, but HeadOffice can NOT connect to the RemoteOffice? Also, is it ok having the following two lines saying "30" and "40" rather than "10" how they were? I'm not sure if these numbers need to map to each other, or whether they are just a priority number. crypto dynamic-map dynmap 40 set transform-set myset crypto map mymap 30 ipsec-isakmp dynamic dynmap Any help greatly appreciated. Nick Internet / \ 111.111.111.111 Dynamic Internet IP ADSL Router ADSL Router 10.0.0.254 192.168.88.254 | | 10.0.0.1 192.168.88.1 PIX 506E PIX 501 192.168.10.254 192.168.1.1 | | HeadOffice LAN RemoteOffice LAN PIX Version 6.3(5) hostname HeadOffice access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 ip local pool ippool 172.17.1.1-172.17.1.254 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 10.0.0.254 1 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-aes esp-md5-hmac crypto dynamic-map dynmap 40 set transform-set myset crypto map mymap 30 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 3600 vpngroup MYGROUP address-pool ippool vpngroup MYGROUP split-tunnel 101 vpngroup MYGROUP idle-time 1800 vpngroup MYGROUP password MyPassword ______ PIX Version 6.3(5) hostname RemoteOffice global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 192.168.88.254 1 sysopt connection permit-ipsec vpnclient server 111.111.111.111 vpnclient mode network-extension-mode vpnclient vpngroup MYGROUP password MyPassword vpnclient enable | |||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |