08-31-2007 06:09 AM - edited 02-21-2020 03:14 PM
This may be a dumb question, since VPN is for communications between trusted parties and that most people would try to fix a one-way tunnel.
But I am interested in turning a regular tunnel into one-way only, i.e., only traffic on my side can initiate the tunnel.
We recently built this tunnel between our ASA5510 and our biz partner's ASA5510 in order to run critical apps on their non-Internet-facing web servers. I want to tie it down so that they can't initiate the VPN. I have the crypto ACL set to limit to a port address so they can only come to us from that port once the tunnel is established. We also have personal firewall installed on each host.
Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?
Solved! Go to Solution.
09-01-2007 04:06 AM
Hi,
You can use the following command:
crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}
This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.
Check out:
http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576
Although the reference is for ASA8.0 I know it works for 7.2.x as well
Hope this helps
Kind regards
Pieter-Jan
08-31-2007 06:14 AM
You could also set your connection type to originate-only and theirs to answer-only.
"Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?"
-Yes, remove your sysopt connection permit-vpn command. This means you have to write all ipsec traffic you want allowed in your outside acl. The other traffic from the other party will be denied.
08-31-2007 08:18 AM
Wonderful! I gave you a rating of 5.
So the only hassle I now potential have is to add a whole bunch of outside ACL entries, if I have a few more other VPN tunnels. I guess there is no way around other than applying sysopt command to the entire system.
08-31-2007 08:22 AM
Thanks for the rating. Although I don't see it.
There is another option. Take a look at the vpn-filter command. This would be a separate acl which would be applied directly to the tunnel-group policy and would allow you to run the sysopt command for your other vpns.
08-31-2007 09:03 AM
Sorry, I got distracted.
Time for me to plunge in and learn more about vpn.
Thanks a bunch!
09-01-2007 04:06 AM
Hi,
You can use the following command:
crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}
This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.
Check out:
http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576
Although the reference is for ASA8.0 I know it works for 7.2.x as well
Hope this helps
Kind regards
Pieter-Jan
09-04-2007 07:23 AM
Wonderful! Thanks for the command and the link!
Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: