Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure one way VPN tunnel on the PIX/ASA

Core issue

If you set up the PIX/ASA on main site in order to initiate VPN tunnel and remote site, only the main site should be able to initiate the tunnel. The remote site should not be able to initiate the VPN connection.

Resolution

In order to have the VPN tunnel be initiated only from one end, configure the head end of the connection as originate-only with the originate-only keyword in the crypto map entry, and the remote end with answer-only keyword.

Refer to this crypto map configuration example on main site:

crypto map outside_map 20 match address 102
crypto map outside_map 20 set peer 10.10.10.1
crypto map outside_map 20
set connection-type originate-only
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside

For the remote site:

crypto map vpn_map 20 match address 101
crypto map vpn_map 20 set peer 10.10.20.20
crypto map vpn_map 20
set connection-type answer-only
crypto map vpn_map 20 set transform-set ESP-AES-256-SHA
crypto map vpn_map interface outside

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:38 PM
Updated by:
 
Labels (1)