Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
10
Helpful
6
Replies

how to configure a one-way L2L IPSec tunnel

Go to solution
DANIEL WANG
Level 1
Level 1

‎08-31-2007 06:09 AM - edited ‎02-21-2020 03:14 PM

This may be a dumb question, since VPN is for communications between trusted parties and that most people would try to fix a one-way tunnel.

But I am interested in turning a regular tunnel into one-way only, i.e., only traffic on my side can initiate the tunnel.

We recently built this tunnel between our ASA5510 and our biz partner's ASA5510 in order to run critical apps on their non-Internet-facing web servers. I want to tie it down so that they can't initiate the VPN. I have the crypto ACL set to limit to a port address so they can only come to us from that port once the tunnel is established. We also have personal firewall installed on each host.

Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nefkensp
Level 5
Level 5

‎09-01-2007 04:06 AM

Hi,

You can use the following command:

crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}

This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.

Check out:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576

Although the reference is for ASA8.0 I know it works for 7.2.x as well

Hope this helps

Kind regards

Pieter-Jan

View solution in original post

0 Helpful
6 Replies 6

Go to solution
acomiskey
Level 10
Level 10

‎08-31-2007 06:14 AM

You could also set your connection type to originate-only and theirs to answer-only.

"Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?"

-Yes, remove your sysopt connection permit-vpn command. This means you have to write all ipsec traffic you want allowed in your outside acl. The other traffic from the other party will be denied.

Go to solution
DANIEL WANG
Level 1
Level 1
In response to acomiskey

‎08-31-2007 08:18 AM

Wonderful! I gave you a rating of 5.

So the only hassle I now potential have is to add a whole bunch of outside ACL entries, if I have a few more other VPN tunnels. I guess there is no way around other than applying sysopt command to the entire system.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to DANIEL WANG

‎08-31-2007 08:22 AM

Thanks for the rating. Although I don't see it.

There is another option. Take a look at the vpn-filter command. This would be a separate acl which would be applied directly to the tunnel-group policy and would allow you to run the sysopt command for your other vpns.

Go to solution
DANIEL WANG
Level 1
Level 1
In response to acomiskey

‎08-31-2007 09:03 AM

Sorry, I got distracted.

Time for me to plunge in and learn more about vpn.

Thanks a bunch!

0 Helpful

Go to solution
nefkensp
Level 5
Level 5

‎09-01-2007 04:06 AM

Hi,

You can use the following command:

crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}

This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.

Check out:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576

Although the reference is for ASA8.0 I know it works for 7.2.x as well

Hope this helps

Kind regards

Pieter-Jan

0 Helpful

Go to solution
DANIEL WANG
Level 1
Level 1
In response to nefkensp

‎09-04-2007 07:23 AM

Wonderful! Thanks for the command and the link!

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents