How to make VPN traffic unidirectional

praneethkatru · ‎11-07-2017

We have two offices (Office A and Office B) running L2L VPN setup between two ASAs. Office A has a DMZ hosting few servers. Hosts inside office A can access the servers but servers cannot access inside hosts in Office A (as expected from lower security-level to higher security-level traffic is blocked). But servers in DMZ are able to access hosts in Office B over VPN. How to limit the traffic between Office B inside hosts and Office A DMZ unidirectional?

Office A VPN Office B

Inside <------> Inside

DMZ <------- Inside

Bogdan Nita · ‎11-07-2017

You could simply configure an access-list on the DMZ interface doping the packets to inside networks and allowing everything else.

praneethkatru · ‎11-09-2017

Wouldn't it stop the communication between inside and DMZ completely?

We only want to stop DMZ servers' ability to initiate a connection.

Bogdan Nita · ‎11-09-2017

The ASA is a stateful firewall so it is aware of the established connection and it will allow them.

praneethkatru · ‎11-23-2017

Apologies for the delayed response...
I tried adding a deny statement to the remote site's inside interface in the 'in' direction and tried communicating to the server in DMZ at the local site. The communication failed.
When the ACL entry is removed, the communication is working fine.

Ideally, the communication should work when communication is initiated from remote site's inside interface but fail when a server in DMZ tries to initiate a connection.