Site 2 Site restricted VPN

[rrgg]

Hy all,
I improve one bi-directional full site to site VPN Net1 (Cisco Pix-506)- Net2 (Cisco Pix-501).
All works fine but now I need same restrictions:
I need permit all Hosts from Net1 to only one Net2 Host;
also need permit all Hosts from Net2 to only one Net1 Host.

Can someone help me?

Thanks in advance.

 

[horus42]

You just need to remove this line "sysopt connection permit-ipsec" and then create ACLs for the traffic as you would for any other incoming traffic


Hope that helps

 

[Supergrrover]

You can mess with the crypto acl and no-nat statements, but that tends to get complicated and I only use it if I control only one of the pix. An easier way to do that (if I control both pix) is to apply an ACL to the inside interface.

access-list inside_out permit ip [Net1] [mask] host [Net2 host ip]
access-list inside_out deny ip [Net1] [mask] [Net2] [mask]
access-list inside_out permit ip any any
access-group inside_out in interface inside

Simply reverse the orders and IPs for the other pix. You don't need the "sysopt connection permit-ipsec" with this solution because the traffic never actually makes it to the no-nat and crypto statements.



Brent
Systems Engineer / Consultant
CCNP, CCSP