I am currenly using Cisco VPN Concentrator 3060. Recently I have got a requirement. I have to configure a l2l tunnel where we will only push/pull data from our side to their FTP Server. But they will not be able to push/pull our server.
For this requirement I have configure the tunnel with a custom Filter. In that filter I have change the Inbound Rules. In that
--> For outbound Rules everything is allowed from us to remote.
--> For Inbound rules I have allow FTP based on port and allowed ICMP -- Based on [TCP Connection] Establish Only. I have only allow TCP Established connection in this inbound Direction.
Can anybody tell me that will ensure my requirement.
If anybody has any other suggestion pls let me knew.
Actually I don't think you can do this by changing the Crypto ACLs. They need to mirror each other (few exceptions exist). The approach you are adopting using the filter seems more appropriate and 'scalable' if future changes are required. Just make sure you allow both the FTP control/data channel through the VPN Conc. It has no inspections like the ASA.
This will depend on whether you are using ACTIVE or PASV mode. You can also control what clients can be server by a FTP servr in the FTP server's admin interface (To further secure things).
Yes Farrukh, I was actually thinking your way too.
In case VPNC (3060) to put the traffic only in one direction we have to rely on FILTER (and specially TCP_CONNCTION Parameter). This parameter is actually work like ESTABLISHED command in the Router (checking the tcp syn n etc).
Hope you dont disaggre with in this regard. Thanks both of you again.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...