Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to configure a one-way L2L IPSec tunnel

This may be a dumb question, since VPN is for communications between trusted parties and that most people would try to fix a one-way tunnel.

But I am interested in turning a regular tunnel into one-way only, i.e., only traffic on my side can initiate the tunnel.

We recently built this tunnel between our ASA5510 and our biz partner's ASA5510 in order to run critical apps on their non-Internet-facing web servers. I want to tie it down so that they can't initiate the VPN. I have the crypto ACL set to limit to a port address so they can only come to us from that port once the tunnel is established. We also have personal firewall installed on each host.

Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: how to configure a one-way L2L IPSec tunnel

Hi,

You can use the following command:

crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}

This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.

Check out:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576

Although the reference is for ASA8.0 I know it works for 7.2.x as well

Hope this helps

Kind regards

Pieter-Jan

6 REPLIES
Green

Re: how to configure a one-way L2L IPSec tunnel

You could also set your connection type to originate-only and theirs to answer-only.

"Any idea on how to make the tunnel one way and also protect us better once the tunnel is up?"

-Yes, remove your sysopt connection permit-vpn command. This means you have to write all ipsec traffic you want allowed in your outside acl. The other traffic from the other party will be denied.

New Member

Re: how to configure a one-way L2L IPSec tunnel

Wonderful! I gave you a rating of 5.

So the only hassle I now potential have is to add a whole bunch of outside ACL entries, if I have a few more other VPN tunnels. I guess there is no way around other than applying sysopt command to the entire system.

Green

Re: how to configure a one-way L2L IPSec tunnel

Thanks for the rating. Although I don't see it.

There is another option. Take a look at the vpn-filter command. This would be a separate acl which would be applied directly to the tunnel-group policy and would allow you to run the sysopt command for your other vpns.

New Member

Re: how to configure a one-way L2L IPSec tunnel

Sorry, I got distracted.

Time for me to plunge in and learn more about vpn.

Thanks a bunch!

New Member

Re: how to configure a one-way L2L IPSec tunnel

Hi,

You can use the following command:

crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}

This command defines whether the tunnel is originate-only or answer-only. If you set the tunnel on your side to originate-only, the asa will never accept the tunnel setup from your business partner. However, you can still initiate the vpn tunnel setup.

Check out:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2152576

Although the reference is for ASA8.0 I know it works for 7.2.x as well

Hope this helps

Kind regards

Pieter-Jan

New Member

Re: how to configure a one-way L2L IPSec tunnel

Wonderful! Thanks for the command and the link!

Daniel

124
Views
10
Helpful
6
Replies