Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
1
Replies

One way VPN between 2 PIXs

pax_2111
Level 1
Level 1

‎01-29-2004 11:07 AM

Assuming a simple IPSec VPN like this:

|LAN1|-----|PIX1|-------|PIX2|----|LAN2|

I was wondering whether the following is possible:

LAN1 computers will access LAN2 computers, but LAN2 computers will not be able to access LAN1 computers.

With routers, using the TCP established feature, it is possible to do this.

Can someon suggest a way of achieving this without placing a filtering device behind PIX1?

thanx

Labels:
0 Helpful
1 Reply 1

michelcaissie
Level 1
Level 1

‎01-30-2004 11:06 AM

On PIX1 remove the line

sysopt connection permit-ipsec

This command allow IPSEC traffic to bypass access-list . So without it you can block traffic initiated by LAN2 to reach LAN1 on your outside interface.

access-list aclout deny ip [LAN2 subnet] [LAN1 subnet]

access-group aclout in interface outside

Be carefuul , if you have more than 1 VPN tunnel with PIX1 you will then have to permit traffic for those other tunnels through this access-list.

0 Helpful
Customers Also Viewed These Support Documents