Setup OneWay VPN Tunnel

mloraditch · ‎08-31-2008

All, we are an MSP and we have VPN tunnels to most of our clients networks, These are setup in one of several ways, ASA to ASA, ASA to Pix, ASA to Concentrator or Concentrator to Pix, Concentrator to Concentrator, Concentrator to ASA.

Right now all of these tunnels allow for 2 way communications. We would like to change that to allow us to access our clients but our clients to not access us. I've seen a number of posts of people wanting to undo this so I'm hoping someone knows how to do it. Ideally i'd like to just do this on our end in our ASA and Concentrator so I don't have to modify upwards of 60 client firewalls but if I have to do it on everyone so be it.

Thanks in advance!!

Danilo Dy · ‎08-31-2008

In you firewall

- allow outgoing connections triggered in your LAN (specific ports of course).

- block incoming connections triggered from the remote LAN.

Nothing much in VPN, since the general rule for VPN to work is that they should be symmetric.

jdive · ‎09-01-2008

The answer will depends on which box you have at your hand:

- concentrator:

-> this is the hard bit: no statefull firewall in here you will have to play around with traffic filters on interface, ACL style.

- ASA:

-> by default the vpn protected traffic is allowed trough the ASA

-> This can be changed using: "no sysopt connection permit-vpn" then configuring what is allowed and what is not via the regular interface ACL's.

J.