Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

How to configure one way VPN tunnel on the PIX/ASA

Labels:
3903
Views
0
Helpful
0
Comments
TCC_2
Advocate
‎06-22-2009 04:38 PM
edited on: ‎03-08-2019 ‎06:16 PM

Core issue

If you set up the PIX/ASA on main site in order to initiate VPN tunnel and remote site, only the main site should be able to initiate the tunnel. The remote site should not be able to initiate the VPN connection.

Resolution

In order to have the VPN tunnel be initiated only from one end, configure the head end of the connection as originate-only with the originate-only keyword in the crypto map entry, and the remote end with answer-only keyword.

Refer to this crypto map configuration example on main site:

crypto map outside_map 20 match address 102
crypto map outside_map 20 set peer 10.10.10.1
crypto map outside_map 20 set connection-type originate-only
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside

For the remote site:

crypto map vpn_map 20 match address 101
crypto map vpn_map 20 set peer 10.10.20.20
crypto map vpn_map 20 set connection-type answer-only
crypto map vpn_map 20 set transform-set ESP-AES-256-SHA
crypto map vpn_map interface outside

0 Helpful
Latest Contents
How to check/control which NAT & ACL rule(s) has been hit?
Created by IamSamSaul on 03-03-2021 10:52 AM
2
0
2
0
Hi there, Is there any command (CLI or GUI) to check or control which NAT rule has been hit?  For example: a user is coming from Internet and wants to access a webserver in DMZ zone. Now I would like to know which NAT rule and ACL rule(s) h... view more
ISE Admin Access Logs
Created by phillip.vansickle on 03-03-2021 09:36 AM
1
5
1
5
I am having a user who is trying to access iSE using an AD account.The account has the proper groups associated with it and I've verified the ISE configuration.  How do I view logs of attempted login attempts? Thanks, Phill
authentication new-style config on cisco 2960 switches
Created by Anthony O'Reilly on 03-03-2021 07:53 AM
1
0
1
0
Hi, I have two ISE 2.7 Patch 2 virtual devices. I have a test switch with some users and phones on it. My aim is for laptops, desktop and wyse terminal to authenticate using dot1x. The Cisco phone will authentication via mab.  The Cisc... view more
ISE and proxy policy
Created by cperera4541 on 03-03-2021 07:50 AM
0
0
0
0
The device requesting the access is going through the proxy. ISE shows the proxy in region A which is our datacenter. That is fine, however it's trying to authorize the device against region A instead of the actual location policy the network device is co... view more
iPSK anchor/Foreign east west traffic & P2P
Created by craiglebutt on 03-03-2021 07:18 AM
0
0
0
0
we have a requirement to allow non corporate devices straight out to the internet, this is to do with ISO27001. So have started  to create iPSKs from internal to DMZ no problem, just time consuming creating DNS,DHCP, Zones ect on Firewall and th... view more
Content for Community-Ad