cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
0
Helpful
9
Replies

ASA5520 v7.2 - How disable VPN traffic?

networkingib
Level 1
Level 1

Hi to all,

I have an ASA5520 with v7.2. I have read in the command reference that, by default, the security appliance allows VPN traffic to terminate on a security appliance interface. And here is my question:

How can I disable that to filter the VPN traffic with my own access-list?

Regards, Fernando.

9 Replies 9

shomar
Level 1
Level 1

Hi Fernando,

To filter IPSec traffic using an interface access-list, you can use the following command:

no sysopt connection permit-vpn

check the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/s8_711.htm#wp1198155

I hope that this be of assistance to answer your question.

Kindest regards,

Shadi`

Hi Shadi,

Thanks for your answer but it is not correct. If you go to "Usage Guidelines" of "sysopt connection permit-vpn" you can read:

"You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands to create an access list and apply it to an interface. IMPORTANT!!! --> The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted."

So that if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.

Regards, Fernando.

Hi Fernando,

This means that would like to filter VPN negotiations using an access-list?

If that is the situation you will not be able to do that as far as I know, you only can either receive all the negotiation requests or disable listening to IPSec negotiations on the specific interface.

K.Regards,

Shadi`

Hi Shadi,

Yes, it is and if you are in the right it is a bad news for me.

Anyway thanks for your interest.

Regards, Fernando.

Fernando,

You are wrong here. Shadi was right originally. All that IMPORTANT is telling you is if you are going to write access in your interface acl's, you use the pool address, not the clients public ip. But you will also have to allow isakamp, esp, nat-t etc. in your outside acl from the public ip of the client.

So, to disable vpn connections you can do "no sysopt conn permit-vpn" and allow specific access in your acls.

Hi acomiskey,

Obviously before answer to Shadi I tried his suggestion and I confirm that it works how I said.

Even more I have disabled ?sysopt permit connection-vpn? (using "no sysopt conn permit-vpn") and then have used the next access-list in the outside interface

access-list outside_in deny ip any any

access-list outside_in deny esp any any

access-list outside_in deny ahp any any

And the device (the ASA) still allows a vpn client to connect.

If you have some time try it, confirm by yourself and get surprised.

Regards, Fernando.

Fernando, I have tried this myself and have gotten much different results. I have to specifically allow iskmp, esp, nat-t etc. for me to connect a vpn tunnel. I guess we're both right.

And for the record, it appeared you were basing your suggestion upon the documentation quoted above.

Just tried it again and it allowed me to connect. I know at one point in time I had to allow the ports on another ASA. A bug maybe? Anyway, sorry for the confusion.

Hi acomiskey,

Thanks for your interest.

I don't know if it is a bug in v7.2 or not, I thought so, but then I read the "Command Reference" I came to the conclusion that it was the normal use of "no sysopt conn permit-vpn" and by that I am looking for another way to do it.

Kind Regards, Fernando.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: