Allow one-way traffic over VPN L2L tunnel

Unanswered Question
Oct 22nd, 2008

problem Details: Hi, we have one of our web servers compromised. The server is located in

ISP remote site. Remote site is connected to our main office with VPN tunnel. Here is

brief network diagram:

RBAnetwork( In order to provide our main

network we disabled the VPN tunnel between two sites. We have to reconfigure the VPN

tunnel and achieve the following:

1. VPN tunnel should protect traffic between RBA and ISP sites;

2. traffic initiated from RBA to ISP must be allowed

3. all traffic (except for backup) initiated from ISP to RBA must be disabled so if the

web server gets compromised in the future, the RBA network is protected.

4. the web servers at ISP are self-contained and do not need access to RBA network. The

only type of access is when backup is performed so that type of traffic should allowed.

Pls provide with assistance with VPN



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
acomiskey Wed, 10/22/2008 - 10:20

This is how I would do it...configure the vpn as normal but add the following to the ISP-ASA.


no sysopt connection permit-vpn

access-list outside_access_in extended permit ip

access-group outside_access_in in interface outside

access-list inside_access_in extended permit (allow backup traffic here from 10.5.0.x to 192.168.182.x)

access-list inside_access_in extended deny ip

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside

Dragan Milojevic Wed, 10/22/2008 - 10:30

Thanks for prompt responce.

Would it be possible to setup at ISP side: crypto map outside_map 1 set connection-type answer-only

and on main office side: crypto map outside_map 1 set connection-type originate-only

and achive teh same result?

acomiskey Wed, 10/22/2008 - 10:36

Doing that would only prevent the ISP side from bring up the vpn. Once the vpn was established by RBA end, it would not prevent the ISP side from initiating traffic over the tunnel.

Dragan Milojevic Wed, 10/22/2008 - 10:42

following ports will have to be opened for backup and management from ISP:

80, 22, 5432, 8080

NOt quite sure how to setup access-list commands. Would you be so kind to enter one line for me?

access-list no_nat0 extended permit ip

acomiskey Wed, 10/22/2008 - 10:45

access-list inside_access_in extended permit tcp eq 80

access-list inside_access_in extended permit tcp eq 22

access-list inside_access_in extended permit tcp eq 5432

access-list inside_access_in extended permit tcp eq 8080

or you could be even more specific if you identified the exact ip addresses which were being backed up and to where.

access-list inside_access_in extended permit tcp host 10.5.0.x host 192.168.0.x eq 80


cisco24x7 Wed, 10/22/2008 - 11:22

You have a very poor design. You should have

designed your VPN in such a way that your

VPN device is placed between a firewall.

That way, after the traffics have been

decrypted, the firewall will take over the

inspection. That way, you do not have to worry

about this.

my 2c.

Dragan Milojevic Wed, 10/22/2008 - 11:23

Thanks for your input but did not quite help.

The VPN device is ASA 5510 capable of performing VPN tunnel and protect the network.

acomiskey Wed, 10/22/2008 - 11:38

His vpn device is a firewall, so what advantage is there to using 2 devices instead of 1?

Dragan Milojevic Wed, 10/22/2008 - 14:11

I confogred ACL on inside interface facing ISP allowing only certain type of traffic to pass. Looks like the problem is solved.

thanks for all your help.


This Discussion