Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Possible to assign security levels in VPN tunnel?

Currently, I have a PIX-2-ASA VPN tunnel working with no problems.

Here is my issue, I want to know if there is a way to configure one side of the tunnel as a "lower security" interface of sorts. I only want one side to be able to initiate traffic.

ACL's aren't helpful on at least one side as return traffic is generated on random ports. I only want one side to respond to initiated sessions, but not be able to start any session on it's own.

Since the VPN tunnel terminiates on the outside interface, security level on either side is "0". So all traffic behind either side of the tunnel can innitate sessions.

Any ideas?

Thanks

Edit: One side is a PIX515E v6.3(5), other is ASA5510 v7.2(1)

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Possible to assign security levels in VPN tunnel?

Hello,

On your ASA you can specify the following 3 connection types in your crypto map:

1. crypto map set connection-type originate-only

2. crypto map set connection-type answer-only

3. crypto map set connection-type bidirectional

This should allow you to control which end can initiate the tunnel.

Regards

Pradeep

3 REPLIES
New Member

Re: Possible to assign security levels in VPN tunnel?

Hello,

On your ASA you can specify the following 3 connection types in your crypto map:

1. crypto map set connection-type originate-only

2. crypto map set connection-type answer-only

3. crypto map set connection-type bidirectional

This should allow you to control which end can initiate the tunnel.

Regards

Pradeep

New Member

Re: Possible to assign security levels in VPN tunnel?

Awesome!...That sounds exactly like what I'm looking for. I'm not familiar enough with ASA new features as it's the first one I've installed.

Another forum on another site suggested policy-NAT...such as NAT'ing all source IPs on local LAN to a single IP at the remote site, and only allowing the remote site to that single IP on the crypto-map. Close...but this seems much better as it allows the "security-level-like" behavior I want.

Thanks.

New Member

Re: Possible to assign security levels in VPN tunnel?

****************************

Update to my last response:

****************************

Actually, that turns out NOT to be what I am looking for. I was a little to hasty in accepting the answer. Maybe I wasn't clear in my question.

I was looking for away to control sessions across the tunnel once established...not the establishment of the tunnel itself.

So it looks like the only way to do that is through destination nat and ACLs.

On a side note....the "set connection-type" DID work as far as only allowing one side to start the tunnel (using ASA 7.2 and PIX 6.3).

Sorry about the confusion. Free points I suppose....

236
Views
0
Helpful
3
Replies
CreatePlease login to create content