Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

One way site to site

I have an asa 5505 i will be setting up a site to site tonight with a company we are going to support. All i need to be able to do is rd into the servers. However i do not want them to have access to our network. If i remember right all i should have to do is set the vpn to one way. Is this correct? Will this cause any issues with transfering data or rd to the servers on the other side? Do i need to do anything with ACL's?                  

  • VPN
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

One way site to site

Hey ,

it is the time to user the cisco VPN filter .

access-list VPN-Filter permit tcp eq 3389

NOw the only traffic that is allowed is the traffic from your side and going to their side on RDP port , they will not be able to access your side .

Config needed :

group-policy L2l internal

group-policy L2l attributes

vpn-filter value VPN-Filter

tunnel-group partner-ip-address general-attributes

default-group-policy L2l

for more info:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Good Luck .

Mohammad.

4 REPLIES
Cisco Employee

One way site to site

Hey ,

it is the time to user the cisco VPN filter .

access-list VPN-Filter permit tcp eq 3389

NOw the only traffic that is allowed is the traffic from your side and going to their side on RDP port , they will not be able to access your side .

Config needed :

group-policy L2l internal

group-policy L2l attributes

vpn-filter value VPN-Filter

tunnel-group partner-ip-address general-attributes

default-group-policy L2l

for more info:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Good Luck .

Mohammad.

New Member

Re: One way site to site

I read through the doc and am a little confused. Isn't there an option when you setup the vpn through the gui to setup a one way? If not can you explain a little more about how to do the filter? Instead of using access-list 103 can you use access-list company name?

Re: One way site to site

Hi Jim,

If u make site to site over  nat/pat... the partner site entry to your lan will get restricted.

Please do rate if the given information helps.

By

Karthik

New Member

Re: One way site to site

This site to site is being setup from external to external with the 2 interior protected lan's. There is no NAT. I setup the protected network on our side to one single computer. So the protected lan on our side was the one server and on their side i setup a grouping of 3 internal networks. (turns out that they needed access to ports on one of my servers). I am still trying to figure out how to setup just a one way connection through the GUI. It has been a while for me on ASA's so be gentle I am trying to remember all this. How do i set it up through nat/pat? I use the gui to setup the L2L.

299
Views
0
Helpful
4
Replies