how to configure a one-way L2L IPSec tunnel

Answered Question
Aug 31st, 2007

This may be a dumb question, since VPN is for communications between trusted parties and that most people would try to fix a one-way tunnel.

But I am interested in turning a regular tunnel into one-way only, i.e., only traffic on my side can initiate the tunnel.

We recently built this tunnel between our ASA5510 and our biz partner's ASA5510 in order to run critical apps on their non-Internet-facing web servers. I want to tie it down so that they can't initiate the VPN. I have the crypto ACL set to limit to a port address so they can only come to us from that port once the tunnel is established. We also have personal firewall installed on each host.

Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?

I have this problem too.
0 votes
Correct Answer by nefkensp about 9 years 3 months ago

Hi,

You can use the following command:

crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}

This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.

Check out:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576

Although the reference is for ASA8.0 I know it works for 7.2.x as well

Hope this helps

Kind regards

Pieter-Jan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
acomiskey Fri, 08/31/2007 - 06:14

You could also set your connection type to originate-only and theirs to answer-only.

"Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?"

-Yes, remove your sysopt connection permit-vpn command. This means you have to write all ipsec traffic you want allowed in your outside acl. The other traffic from the other party will be denied.

DANIEL WANG Fri, 08/31/2007 - 08:18

Wonderful! I gave you a rating of 5.

So the only hassle I now potential have is to add a whole bunch of outside ACL entries, if I have a few more other VPN tunnels. I guess there is no way around other than applying sysopt command to the entire system.

acomiskey Fri, 08/31/2007 - 08:22

Thanks for the rating. Although I don't see it.

There is another option. Take a look at the vpn-filter command. This would be a separate acl which would be applied directly to the tunnel-group policy and would allow you to run the sysopt command for your other vpns.

DANIEL WANG Fri, 08/31/2007 - 09:03

Sorry, I got distracted.

Time for me to plunge in and learn more about vpn.

Thanks a bunch!

Correct Answer
nefkensp Sat, 09/01/2007 - 04:06

Hi,

You can use the following command:

crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}

This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.

Check out:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576

Although the reference is for ASA8.0 I know it works for 7.2.x as well

Hope this helps

Kind regards

Pieter-Jan

Actions

This Discussion