Restricting site-to-site VPN traffic

[tangerine0072000]

Hi all,

I've configured simple VPN between PIX 506 & 515

local subnet: 192.168.1.0/24 (506)
remote subnet: 192.168.2.0/24 (515)

I would like to restrict what traffic goes through this VPN by certain ip addresses and ports.

I would like to give the local subnet access to the remote subnet using VNC port 5900 only, but I don't want to allow the remote network to have any access back appart from icmp, so we can health check certain devices.

Questions:
1. Should I be editing the cryptopmap or adding a separate access-list?

many thanks,

 

[tbissett]

Last time I tried, my impression was that you couldn't do it by editing the crypto map. That was a while ago, however.

In any case, I did it by implementing outbound access-lists on the inside interface of each firewall. So, on the local subnet firewall, it might appear something like this to restrict access through the tunnel but allow everything else:

access-list outbound permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq 5900
access-list outbound deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group outbound in interface inside
access-list outbound permit ip any any

 

[tangerine0072000]

Thanks will give it a whirl