If you set up the PIX/ASA on main site in order to initiate VPN tunnel and remote site, only the main site should be able to initiate the tunnel. The remote site should not be able to initiate the VPN connection.
In order to have the VPN tunnel be initiated only from one end, configure the head end of the connection as originate-only with the originate-only keyword in the crypto map entry, and the remote end with answer-only keyword.
Refer to this crypto map configuration example on main site:
crypto map outside_map 20 match address 102 crypto map outside_map 20 set peer 10.10.10.1 crypto map outside_map 20 set connection-type originate-only crypto map outside_map 20 set transform-set ESP-AES-256-SHA crypto map outside_map interface outside
For the remote site:
crypto map vpn_map 20 match address 101 crypto map vpn_map 20 set peer 10.10.20.20 crypto map vpn_map 20 set connection-type answer-only crypto map vpn_map 20 set transform-set ESP-AES-256-SHA crypto map vpn_map interface outside
Hi there, Is there any command (CLI or GUI) to check or control which NAT rule has been hit? For example: a user is coming from Internet and wants to access a webserver in DMZ zone. Now I would like to know which NAT rule and ACL rule(s) h...
I am having a user who is trying to access iSE using an AD account.The account has the proper groups associated with it and I've verified the ISE configuration. How do I view logs of attempted login attempts? Thanks, Phill
Hi, I have two ISE 2.7 Patch 2 virtual devices. I have a test switch with some users and phones on it. My aim is for laptops, desktop and wyse terminal to authenticate using dot1x. The Cisco phone will authentication via mab. The Cisc...
The device requesting the access is going through the proxy. ISE shows the proxy in region A which is our datacenter. That is fine, however it's trying to authorize the device against region A instead of the actual location policy the network device is co...
we have a requirement to allow non corporate devices straight out to the internet, this is to do with ISO27001. So have started to create iPSKs from internal to DMZ no problem, just time consuming creating DNS,DHCP, Zones ect on Firewall and th...