Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setup OneWay VPN Tunnel

All, we are an MSP and we have VPN tunnels to most of our clients networks, These are setup in one of several ways, ASA to ASA, ASA to Pix, ASA to Concentrator or Concentrator to Pix, Concentrator to Concentrator, Concentrator to ASA.

Right now all of these tunnels allow for 2 way communications. We would like to change that to allow us to access our clients but our clients to not access us. I've seen a number of posts of people wanting to undo this so I'm hoping someone knows how to do it. Ideally i'd like to just do this on our end in our ASA and Concentrator so I don't have to modify upwards of 60 client firewalls but if I have to do it on everyone so be it.

Thanks in advance!!


Re: Setup OneWay VPN Tunnel

In you firewall

- allow outgoing connections triggered in your LAN (specific ports of course).

- block incoming connections triggered from the remote LAN.

Nothing much in VPN, since the general rule for VPN to work is that they should be symmetric.

Cisco Employee

Re: Setup OneWay VPN Tunnel

The answer will depends on which box you have at your hand:

- concentrator:

-> this is the hard bit: no statefull firewall in here you will have to play around with traffic filters on interface, ACL style.

- ASA:

-> by default the vpn protected traffic is allowed trough the ASA

-> This can be changed using: "no sysopt connection permit-vpn" then configuring what is allowed and what is not via the regular interface ACL's.


CreatePlease login to create content