Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One way VPN between 2 PIXs

Assuming a simple IPSec VPN like this:

|LAN1|-----|PIX1|-------|PIX2|----|LAN2|

I was wondering whether the following is possible:

LAN1 computers will access LAN2 computers, but LAN2 computers will not be able to access LAN1 computers.

With routers, using the TCP established feature, it is possible to do this.

Can someon suggest a way of achieving this without placing a filtering device behind PIX1?

thanx

1 REPLY
New Member

Re: One way VPN between 2 PIXs

On PIX1 remove the line

sysopt connection permit-ipsec

This command allow IPSEC traffic to bypass access-list . So without it you can block traffic initiated by LAN2 to reach LAN1 on your outside interface.

access-list aclout deny ip [LAN2 subnet] [LAN1 subnet]

access-group aclout in interface outside

Be carefuul , if you have more than 1 VPN tunnel with PIX1 you will then have to permit traffic for those other tunnels through this access-list.

176
Views
0
Helpful
1
Replies
CreatePlease login to create content