[c-nsp] Restric access in a VPN tunnel

Tony Varriale tvarriale at comcast.net
Fri Oct 24 11:09:57 EDT 2008 

You'll have to take off sysopt connection permit-ipsec before those ACLs 
take effect.

Note that this may affect other VPNs if you have them.

tv
----- Original Message ----- 
From: "JR Colmenares" <sforcejr at yahoo.com>
To: "Ryan Bradley" <rbradley at a1fcu.org>; "Cisco NSP Forum" 
<cisco-nsp at puck.nether.net>
Sent: Friday, October 24, 2008 6:23 AM
Subject: Re: [c-nsp] Restric access in a VPN tunnel


>
>
> Very appreciated Ryan. Thanks for your reply
>
>
> --- On Wed, 10/22/08, Ryan Bradley <rbradley at a1fcu.org> wrote:
>
>> From: Ryan Bradley <rbradley at a1fcu.org>
>> Subject: RE: [c-nsp] Restric access in a VPN tunnel
>> To: sforcejr at yahoo.com
>> Date: Wednesday, October 22, 2008, 9:46 AM
>> Define each protocol and port number per host
>>
>> access-list nonat permit tcp host 10.10.20.1 eq 1433 host
>> 192.168.16.2
>> eq 1433
>> access-list nonat permit tcp host 10.10.20.1 eq 1433 host
>> 192.168.16.3
>> eq 1433
>>
>> This should solve your second issue by restricting who is
>> allowed over
>> the tunnel and on what port number and protocol.
>>
>> Ryan
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of JR
>> Colmenares
>> Sent: Friday, October 17, 2008 11:54 PM
>> To: Cisco NSP Forum
>> Subject: [c-nsp] Restric access in a VPN tunnel
>>
>> Cisco 506e
>> 6.3.4
>>
>> I am configuring a tunnel and I have this access list that
>> allows
>> traffic from the remote site to our whole subnet
>>
>> access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.16.0
>> 255.255.255.0
>> access-list remote_site permit ip 10.0.0.0 255.0.0.0
>> 192.168.16.0
>> 255.255.255.0
>> sysopt connection permit-ipsec
>>
>> Our users are going to access an database server on the
>> remote site
>>
>> 1- How can I restrict the access to particular hosts in our
>> network?
>> 2- Is it possible to configure the tunnel so the IP traffic
>> goes just in
>> one direction? It seems to me that if our users need to
>> access their
>> servers, they should not need to access any hosts on our
>> side? Or if it
>> is done this way, our users would not be able to pull any
>> data from
>> those servers because the traffic just goes in one
>> direction. Please
>> provide some insight here. I am a little paranoid with this
>> company
>> wanting to establish this kind of open access
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection
>> around
>> http://mail.yahoo.com
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list