Question : How to Create a "One Way" VPN in Cisco ASA

Hi All,

I have created an isolated network which I allow access some external parties access.
I have setup a remote access VPN to that network so the external parties can access it freely.

I also have setup a site to site VPN to this network from our corporate network.
This is all working as expected.

Now I wish to deny all traffic through the site-site VPN from from the "Isolated" network to the corporate network while permitting all traffic thorugh the site-site VPN from corporate to the isolated network.

10.10.0.0 ------ Internet ----- 10.12.1.0
Corporate                               Isolated

I have done the following:

On the corporate ASA:
group-policy FilterToTull internal
group-policy FilterToTull attributes
 vpn-filter value blockVSExtlabtoTull

access-list blockVSExtlabtoTull extended deny ip 10.12.1.0 255.255.255.0 any

tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx general-attributes
 default-group-policy FilterToTull

But this seems to result in a Bi-Directional restriction. I require only a one way block.
Any ideas?

Many thanks,
Shane

Answer : How to Create a "One Way" VPN in Cisco ASA

It does sound a bit messy. I still think the traffic should be blocked at ingress i.e. on the isolated firewall.