04-30-2009 07:17 AM
Is it possible to set up a PIX to PIX VPN with the VPN being initiated in one direction only?
04-30-2009 08:29 AM
Depends on the version of code.
There is a connection type originate-only and connection type answer-only in some versions.
see this link
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_one_way_VPN_tunnel_on_the_PIX/ASA
04-30-2009 11:08 AM
I used the "originate-only" and it works just fine. But recently I have implemented another setup where instead of exposing the segments of interest on the inside to the other side I PAT to a private network thereby hiding the segments from the other side. So not only they cannot send any traffic but also there have no visibility or expose to my internal network.
Not sure if that concept can be applied on a "two way" tunnel but rather only on a tunnel that traffic is one way.
Here's what I mean:
interesting traffic --> PAT (private IP) --> cryptomap & nonats of the PAT'd address --> Internet --> other side of the tunnel.
So again, the other side of the tunnel does not know anything about the interesting traffic.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: