|
Posted by jcle on June 18, 2008, 8:35 am
If you were Registered and logged in, you could reply and use other advanced thread options
acls for this one to nonat, one to phase two, and one to the group
policy vpn filter.
the first two for nonat and phase two are typical
access-list 101 permit ip (local net) (remote net)
the filter is a little tricky you reverse the logic
access-list 102 permit tcp (remote net) (local net)
you then allow access by adding eq protocol number following the
network you want to allow access to for example if I wanted to allow a
host behind the juniper to access a webserver behind te asa you would
do this 192.168.1.2 = juniper host 192.168.2.2 = cisco host
access-list 102 permit tcp host 192.168.1.2 host 192.168.2.2 eq www
you the have to renegiote phase 1 any time you make a change to the
group policy acl by running the cl isakmp sa
Lone wrote:
> > On Jun 16, 10:32 am, rober...@hushmail.com (Walter Roberson) wrote:
> >
> >
> >
> > > In article
> >
> > > >I am having difficulty configuring the VPN access-lists on LAN to LAN
> > > >IPSec tunnel between a Cisco PIX and a Juniper SSG 20. I'm running
> > > >PIX version 7.1(2) and I have sysopt connection permit-vpn enabled,
> > > >which, from what I understand would then force access-list
> > > >restrictions to be determined by the VPN group-policy and the access-
> > > >list specified by the vpn-filter value setting.
> >
> > > I haven't used PIX 7 (but used PIX 6 extensively), so I am
> > > not familiar with VPN group policies or vpn-filter.
> >
> > > In PIX 6, specifying sysopt connection permit-vpn
> > > would indicate that packets coming in over the VPN were exempt
> > > from all access-list restrictions. (Though whether the packet
> > > was allowed to cross the VPN at all would be determined by the
> > > crypto map access-list .)
> >
> > Can you specify host and port access lists using that crypto map match
> > address command? Unfortunately, since this is a PIX to SSG tunnel, I
> > don't believe I can add additional entries to this access list because
> > the entries in this list need to match the entry on the SSG side.
> > Unfortunately, I can only designate a subnet on the SSG side. If I
> > were to change this, I'm fairly sure that the tunnel will not build.
>
> I've been working off of the information provided by this site:
>
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
>
> It's describing everything that I want to do. I can also successfully
> use the vpn-filter command on the Remote Access connections that I've
> created on the same PIX. It's just the L2L tunnel that I'm having
> trouble with.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map