Cisco ASA - Restricting site to site VPN traffic in one directin only

I have an ASA5520, and received a request to configure a site to site between between our ASA5520 and another vendor to ship SQL transaction logs from our SQL server that sits behind our ASA5520, to their SQL server that will be at the other end of the tunnel(vendor side). I am completely familiar with configuring a site to site VPN, this is no problem, but what I am unsure of is if I can restrict this VPN so traffic flows in one direction only via the port I specify.  I know restricting by port is possible, but I'm not sure about only allowing traffic flow in one direction.  So for example, over the VPN, I want the SQL server on my side that is behind my ASA5520 to be able to send SQL transaction logs over port 1234 over the tunnel to the vendor, but I don't want return traffic to be allowed over port 1234. I just want them to be able to receive traffic from us, I don't want us to receive traffic from them. I hope that make sense. Is this possible?
LVL 4
denver218Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
The best way to accomplish this would be to bake it into the access list defining the interesting traffic.

So your traffic will match the source address of the SQL box shipping the logs, along with a port range 1025-65535.  Destination address will match the address of the SQL box they're shipping the logs to, and the destination port, which is likely 1433.

For further security, enable the local firewall on the SQL box, and block inbound connections to 1025-65535.
0
denver218Author Commented:
If I understand correctly though this would allow port 1433 traffic in both directions right?
0
asavenerCommented:
Depends on what you mean "allow port 1433 in both directions."

It allows traffic from site A to site B with destination port 1433.
It allows traffic from site B to site A with source port 1433.


Site A:
access-list SQL_Log_Shipping_VPN_Site_A_to_Site_B extended permit tcp host 10.1.1.10 gt 1024 host 10.10.10.10 eq 1433

Site B:
access-list SQL_Log_Shipping_VPN_Site_B_to_Site_A extended permit tcp host 10.10.10.10 eq 1433 host 10.1.1.10 gt 1024




If you want to make sure that Site B cannot access the SQL port on the server at site A:

Site A:
access-list SQL_Log_Shipping_VPN_Site_A_to_Site_B extended deny tcp host 10.1.1.10 eq 1433 any
access-list SQL_Log_Shipping_VPN_Site_A_to_Site_B extended permit tcp host 10.1.1.10 gt 1024 host 10.10.10.10 eq 1433

Site B:
access-list SQL_Log_Shipping_VPN_Site_B_to_Site_A extended deny any host 10.1.1.10 eq 1433
access-list SQL_Log_Shipping_VPN_Site_B_to_Site_A extended permit tcp host 10.10.10.10 eq 1433 host 10.1.1.10 gt 1024
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.