pix to pix VPN question

[DV37201]

I have a simple pix to pix vpn setup between my 515 and a 501 at my remote office. For security reasons I currently I have the tunnel locked down so that users behind the 501 can only hit server A behind my 515. This is working fine, but I am curious if there is a way to allow all users behind my 515 to access all PC’s behind the 501, and yet still restrict the PC’s behind the 501 to only server A behind my 515? Thanks in advance.

 

[tbissett]

If you add an access-list and access-group to the inside interface of your 501 at the remote office, that might work for what you need. Simply add a "permit ip" statement for each host you want those at the remote office to be able to initiate communcations with.

Hosts initiating communcations from your main office would still be able to do so, and the ACK traffic coming back should not be blocked by the access-list. However, remote workstations trying to initiate traffic would be subject to the access-list and be blocked or permitted accordingly.

Also, keep in mind that if you do this, pings will not work as an echo-reply is not considered to be ACK traffic. It is a communciation within itself. Of course, you could put rules in your access-lists only allowing certain ICMP types...