Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN L2L Tunnel - in one direction only.

Hi All,

I am currenly using Cisco VPN Concentrator 3060. Recently I have got a requirement. I have to configure a l2l tunnel where we will only push/pull data from our side to their FTP Server. But they will not be able to push/pull our server.

For this requirement I have configure the tunnel with a custom Filter. In that filter I have change the Inbound Rules. In that

--> For outbound Rules everything is allowed from us to remote.

--> For Inbound rules I have allow FTP based on port and allowed ICMP -- Based on [TCP Connection] Establish Only. I have only allow TCP Established connection in this inbound Direction.

Can anybody tell me that will ensure my requirement.

If anybody has any other suggestion pls let me knew.

Regards

Adnan

4 REPLIES

Re: VPN L2L Tunnel - in one direction only.

the simplest way is to remove the interesting traffic from the remote site if u have access to the remote site vpn concentrator

the interesting traffic in the concentrator the traffic included in the Local and Remote Networks

Configuration > Policy Management > Traffic Management > Network Lists

just dont include ur local network in the remote consentrator as a remot network

in this case it wont start, but only accespt

hop this helpful

please if helpful rate

Re: VPN L2L Tunnel - in one direction only.

Actually I don't think you can do this by changing the Crypto ACLs. They need to mirror each other (few exceptions exist). The approach you are adopting using the filter seems more appropriate and 'scalable' if future changes are required. Just make sure you allow both the FTP control/data channel through the VPN Conc. It has no inspections like the ASA.

This will depend on whether you are using ACTIVE or PASV mode. You can also control what clients can be server by a FTP servr in the FTP server's admin interface (To further secure things).

Regards

Farrukh

Community Member

Re: VPN L2L Tunnel - in one direction only.

Thanks to both of you.

Yes Farrukh, I was actually thinking your way too.

In case VPNC (3060) to put the traffic only in one direction we have to rely on FILTER (and specially TCP_CONNCTION Parameter). This parameter is actually work like ESTABLISHED command in the Router (checking the tcp syn n etc).

Hope you dont disaggre with in this regard. Thanks both of you again.

Regards

Adnan

Re: VPN L2L Tunnel - in one direction only.

Yes something like that. This means its susceptible to spoofing and is not as secure as a regular stateful firewall.

Regards

Farrukh

307
Views
0
Helpful
4
Replies
CreatePlease to create content