Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
0
Helpful
1
Replies

How to Configure One Way Site-to-Site VPN (ASA 5520)

paulwelc_2
Level 1
Level 1

‎07-20-2010 10:33 AM

I have an ASA 5520 and want to setup a L2L VPN tunnel so I can send port 21 traffic to another company, but I do not want them to come back threw the tunnel. I usually use the ASDM to setup site-to-site VPNs. Can I setup the L2L and edit the crypto map for the VPN and choose Originate only? If not, what is the best way to accomplish this. Thanks for the help!

Labels:
0 Helpful
1 Reply 1

bwallander
Level 1
Level 1

‎07-20-2010 10:56 AM

Originate-only would help ensure that you're the only side who can technically bring up the tunnel, however once the VPN is established the other side will be able to send traffic to your side as well until expired or torn down.

I would suggest either using a vpn-filter in the group-policy or try disabling the permit-ipsec sysopt and filter the traffic with an inbound ACL on the interface where your crypto map is applied (probably 'outside'). My concern with FTP however is knowing which ports to specifically open if passive FTP is used. Using the later method may allow the ftp inspect to dynamically permit payload traffic, but I've never tried in that scenario.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents