We have a Cisco ASA 5580-20 running version 8.2. We will have a consultant who will have laptops and a printer on our network but I will confine these to a VLAN. For this consultant I will need to setup a site to site VPN using our ASA to his company’s ASA. On our side I need this site to site VPN to be confined to the VLAN which his laptops and printer are assigned. Providing him with a broadband connection to use his own firewall device is not an option. I would appreciate any assistance with how to configure (restrict) the site to site to the VLAN on our side.

Thank you,

Jeff

Jeff,

I've only really done this with Client Access VPN, but I would think when you are specifiying your interesting traffic that should travel across the VPN you only include the VLAN they are in. You will also have to add the VLAN where your Internet Edge resides as well, but hopefully this is segregated from the rest of your network.

~Jim

Here is what you do.

1. Create a new vlan (non routed) on your core and access switches for the consultant.

2. Define a new interface on the ASA, with appropriate IP addressing and switch on DHCP if required

3. Attach new ASA interface to new vlan.

4. Create the site to site VPN, lock the crypto map down to the source IP range of the consultant Vlan only.

5. Secure it further by applying an ACL to the new ASA interface denying all access to your inside networks and anything else you see fit.

That's it in a nutshell, you shouldn't need to specify any other source IP's in the crypto map other than the consultant vlan.