Pix515E How to Reset IPSec tunnel (ACL For remote network?)

[TecGuy]

Greetings,

I have a Cisco PIX515E. We currently have IPsec tunnels setup between a few branch offices. How can I disable or drop one of the Ipsec Tunnels to test the connection.


I'm looking for the commands needed to drop the tunnel so that I can attempt a reconnect using a client computer on our network. Without dropping all the tunnels if possible.


Also,

What is the method used to configure the pix to block traffic coming from a Remote network over the IPsec to your internal network.

EX:

internal IP would be: 178.1.1.0
External would be: 192.168.200.0


What ACLs could be used to block traffic coming from the 192 .168 address but still allow access form 178 network to the 192 network.


We want to control traffic from the remote end so that it can only access certain machines on the 178.1.1.0 network.


Thanks,

 

[Supergrrover]

There are a few - You can modify the no nat ACL (easiest way I can think of.)

You can't restrict traffic to only one way. TCP needs to open a session that requires two way communication. You can limit it to just a few machines.

Take out
sysopt connection permit ipsec
It would allow all ipsec traffic to bypass your ACLs - not what you want.

Add the similar lines to your outside interface ACL (#1 is an example of just port restrictions to an IP - #2 is an example of using an object-group to group the services you want together if you have multiple services running on that server that you want your VPN users to access.)

access-list acl_outside_inside permit tcp [VPN POOL IPs] [VPN MASK] host [INTERNAL SERVER IP#1] eq 3389
access-list acl_outside_inside permit [VPN POOL IPs] [VPN MASK] host [INTERNAL SERVER IP#2] object-group [ALLOWED SERVICES NAME]


With object groups you can make your ACLs easier to read and have much less work to do for maintanence. They can group network objects (IP's, networks), Ports (services), ICMP, etc.



Brent
Systems Engineer / Consultant
CCNP, CCSP