Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCNP (Professional)
One Direction site to site vpn
fid500
I am trying to setup a one direction ipsec site to site VPN between A and B sites. The traffic will be originating from site A to site B. I am trying to limit traffic from Site A to only HTTP and allow only return traffic from site B. site B should not be able to initiate any connections.
I have a problem getting the tunnled up when I add a group policy on the ASA at site A. If I use the default grouppolicy it works fine. Can someone tell me what I am doing wrong. Where should I apply the ACL to control ports and hosts going through VPN?
Thanks
hostname API
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 9.1.1.3 HostB
name 9.1.1.0 SiteB
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 8.1.1.1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list inside_access_in extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list outside_2_cryptomap extended permit ip 8.1.1.0 255.255.255.0 SiteB 255.255.255.0
access-list MyGroupPolicy extended permit tcp host HostB 8.1.1.0 255.255.255.0 eq www
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
http 8.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set router-set esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set connection-type originate-only
crypto map outside_map 2 set peer 192.168.1.2
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 8.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy MyGroupPolicy internal
group-policy MyGroupPolicy attributes
vpn-filter value MyGroupPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 general-attributes
default-group-policy MyGroupPolicy
tunnel-group 192.168.1.2 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 192.168.1.2
hostname SiteB
names
name 8.1.1.0 SiteA
name 9.1.1.3 HostB
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 9.1.1.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
access-list inside_nat0_outbound extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
access-list inside_access_in extended permit ip 9.1.1.0 255.255.255.0 SiteA 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set connection-type answer-only
crypto map outside_map 1 set peer 192.168.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 192.168.1.1
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
There are no comments yet
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
