[c-nsp] Restric access in a VPN tunnel

JR Colmenares sforcejr at yahoo.com
Fri Oct 24 07:23:38 EDT 2008 


Very appreciated Ryan. Thanks for your reply


--- On Wed, 10/22/08, Ryan Bradley <rbradley at a1fcu.org> wrote:

> From: Ryan Bradley <rbradley at a1fcu.org>
> Subject: RE: [c-nsp] Restric access in a VPN tunnel
> To: sforcejr at yahoo.com
> Date: Wednesday, October 22, 2008, 9:46 AM
> Define each protocol and port number per host
> 
> access-list nonat permit tcp host 10.10.20.1 eq 1433 host
> 192.168.16.2
> eq 1433
> access-list nonat permit tcp host 10.10.20.1 eq 1433 host
> 192.168.16.3
> eq 1433
> 
> This should solve your second issue by restricting who is
> allowed over
> the tunnel and on what port number and protocol.
> 
> Ryan
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of JR
> Colmenares
> Sent: Friday, October 17, 2008 11:54 PM
> To: Cisco NSP Forum
> Subject: [c-nsp] Restric access in a VPN tunnel
> 
> Cisco 506e
> 6.3.4
> 
> I am configuring a tunnel and I have this access list that
> allows
> traffic from the remote site to our whole subnet 
> 
> access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.16.0
> 255.255.255.0
> access-list remote_site permit ip 10.0.0.0 255.0.0.0
> 192.168.16.0
> 255.255.255.0
> sysopt connection permit-ipsec
> 
> Our users are going to access an database server on the
> remote site
> 
> 1- How can I restrict the access to particular hosts in our
> network?
> 2- Is it possible to configure the tunnel so the IP traffic
> goes just in
> one direction? It seems to me that if our users need to
> access their
> servers, they should not need to access any hosts on our
> side? Or if it
> is done this way, our users would not be able to pull any
> data from
> those servers because the traffic just goes in one
> direction. Please
> provide some insight here. I am a little paranoid with this
> company
> wanting to establish this kind of open access
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection
> around 
> http://mail.yahoo.com 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list