cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2548
Views
0
Helpful
1
Replies

How to configure IPsec L2L to allow only one way traffic

oldcreek12
Level 1
Level 1

Hi,

We have a business need that we have to set up a IPsec L2L tunnel (from multiple locations) to a business partner, we require that the connection can only be initiated from our side, not business partner side. I searched the web, one option is configure our side ASA to initate IKE only, this does not seem to meet our requirement, because once IPsec SA is up, IP layer traffic will flow freely in either direction; the other option people suggested is to use VPN filter in tunnel group policy, but the documention of how to use this vpn-filter to enforce one way traffic policy is not crystal clear to me;  I actually configured reflexive ACL on core L3 switch before the traffic hits ASA to reflect/evalulate specific traffic to businness partner's LAN network, that worked well. However one of our branch office's core L3 switch is Cat4K which does not support reflexive ACL with the image it is currently running, so I am stuck again ... please help

1 Reply 1

Maxim Zimovets
Level 1
Level 1

Dear jiangu!

Please take a look at following url - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Suprisingly this document will show you VPN filter ASA's feature very clear. And VPN filter is most suitable feature for your need, IMHO.

Best regards