Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to allow connections in one direction over IPSEC tunnel

Hi

I have a customer who wants to connect 4 locations with IPSEC tunnels in a full mesh using ASA 5505's. The catch is that hosts in locations A, B and C are trusted but location D is a partner location so the hosts are not fully trusted. The customer would like hosts in A, B, or C to be able to initiate connections to any host in location D but not allow hosts in location D to initiate connections to anyone in locations A, B or C.

These are all small sites so the ASAs will be the only devices available.

Does anyone have suggestions how I can accomplish this?

Thanks

3 REPLIES
Hall of Fame Super Blue

Re: How to allow connections in one direction over IPSEC tunnel

Hi

Do you have control over site D VPN device ? If so just create an access-list denying traffic from D to A, B or C and apply in on the inside interface of site D device.

If you don't you could apply access-lists in an outboudn direction on A, B & C ASA devices denying site D traffic.

HTH

Jon

New Member

Re: How to allow connections in one direction over IPSEC tunnel

Thanks for the reply.

I do have control over site D.

Will that still allow the return traffic for connections initiated from sites A, B and C through?

Hall of Fame Super Blue

Re: How to allow connections in one direction over IPSEC tunnel

Hi

Yes it will because the ASA is a stateful firewall. So traffic intiated from site D will be dropped. Traffic returning from site D in response to a connection initiated from one of the other sites will still work.

HTH

Jon

113
Views
0
Helpful
3
Replies