VPN L2L Tunnel - in one direction only.

Unanswered Question
Aug 9th, 2008
User Badges:

Hi All,

I am currenly using Cisco VPN Concentrator 3060. Recently I have got a requirement. I have to configure a l2l tunnel where we will only push/pull data from our side to their FTP Server. But they will not be able to push/pull our server.

For this requirement I have configure the tunnel with a custom Filter. In that filter I have change the Inbound Rules. In that

--> For outbound Rules everything is allowed from us to remote.

--> For Inbound rules I have allow FTP based on port and allowed ICMP -- Based on [TCP Connection] Establish Only. I have only allow TCP Established connection in this inbound Direction.

Can anybody tell me that will ensure my requirement.

If anybody has any other suggestion pls let me knew.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Sun, 08/10/2008 - 01:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

the simplest way is to remove the interesting traffic from the remote site if u have access to the remote site vpn concentrator

the interesting traffic in the concentrator the traffic included in the Local and Remote Networks

Configuration > Policy Management > Traffic Management > Network Lists

just dont include ur local network in the remote consentrator as a remot network

in this case it wont start, but only accespt

hop this helpful

please if helpful rate

Farrukh Haroon Sun, 08/10/2008 - 21:52
User Badges:
  • Red, 2250 points or more

Actually I don't think you can do this by changing the Crypto ACLs. They need to mirror each other (few exceptions exist). The approach you are adopting using the filter seems more appropriate and 'scalable' if future changes are required. Just make sure you allow both the FTP control/data channel through the VPN Conc. It has no inspections like the ASA.

This will depend on whether you are using ACTIVE or PASV mode. You can also control what clients can be server by a FTP servr in the FTP server's admin interface (To further secure things).



AdnanShahid Wed, 08/13/2008 - 03:53
User Badges:

Thanks to both of you.

Yes Farrukh, I was actually thinking your way too.

In case VPNC (3060) to put the traffic only in one direction we have to rely on FILTER (and specially TCP_CONNCTION Parameter). This parameter is actually work like ESTABLISHED command in the Router (checking the tcp syn n etc).

Hope you dont disaggre with in this regard. Thanks both of you again.



Farrukh Haroon Wed, 08/13/2008 - 04:00
User Badges:
  • Red, 2250 points or more

Yes something like that. This means its susceptible to spoofing and is not as secure as a regular stateful firewall.




This Discussion