I need to set up a site-to-site VPN connection between my company and one of my clients. I will be accessing one server on their network, they will not access anything on my network. Im not sure what information to send them - I have received their peer address, encryption methods, and destination server - I have sent them my peer address and encryption methods, but Im not sure what to send them for the 3rd piece since they will not actually access anything on my network....
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
"One-way" site to site vpn
- Thread starter u080570
- Start date
wirelesspeap
Technical User
should be easy. Assuming your network is 10.1.1.0/24 and
their network is 10.2.2.0/24
1) on your pix do "no sysopt connection permit-ipsec"
2) by default, you should be able to get to their network
but they can NOT get to yours. However, you do need to
allow icmp echo-reply so when you ping them, it knows how
to get back to you.
your external acl should look something like this:
access-list External permit icmp 10.2.2.0/24 10.1.1.0/24 echo-reply
access-group External in interface outside
This way you can get to the server on the other side but they can not do anything to your server.
make sense?
their network is 10.2.2.0/24
1) on your pix do "no sysopt connection permit-ipsec"
2) by default, you should be able to get to their network
but they can NOT get to yours. However, you do need to
allow icmp echo-reply so when you ping them, it knows how
to get back to you.
your external acl should look something like this:
access-list External permit icmp 10.2.2.0/24 10.1.1.0/24 echo-reply
access-group External in interface outside
This way you can get to the server on the other side but they can not do anything to your server.
make sense?
- Thread starter
- #3
I need to know what to send the guy at the other company so he can configure his end of the VPN connection. I have sent him my peer address, encryption info (3DES, MD5, etc) but I dont know what to send him as far as destination IP address - would it just be my internal network address ?
I also have other VPN connections (I didnt mention that in my original post) wouldn't the "no sysopt..." command break those?
PIX newbie here - thanks for your help!
I also have other VPN connections (I didnt mention that in my original post) wouldn't the "no sysopt..." command break those?
PIX newbie here - thanks for your help!
wirelesspeap
Technical User
destination address should be your internal network.
if you do NOT change the "sysopt connection permit-ipsec",
it means that he can initiate traffics from his end also.
"sysopt connection permit-ipsec" is a dangerous command.
It allows the IPSec traffics to bypass ALL of your ACL.
In other words, there will be
If you don't want the other side to access any of the
services on your network, you will have to "redo" all of your VPNs. It will be a pain in the ass. It is one of
those things that Cisco will not tell you.
If you want something more secure, I suggest that you go
with a Checkpoint Firewall. Checkpoint is more flexible
with VPN and security rulebase.
if you do NOT change the "sysopt connection permit-ipsec",
it means that he can initiate traffics from his end also.
"sysopt connection permit-ipsec" is a dangerous command.
It allows the IPSec traffics to bypass ALL of your ACL.
In other words, there will be
If you don't want the other side to access any of the
services on your network, you will have to "redo" all of your VPNs. It will be a pain in the ass. It is one of
those things that Cisco will not tell you.
If you want something more secure, I suggest that you go
with a Checkpoint Firewall. Checkpoint is more flexible
with VPN and security rulebase.
- Status
Similar threads
- Locked
- Question
- Locked
- Question