06-15-2007 02:01 AM - edited 02-21-2020 03:06 PM
Hi to all,
I have an ASA5520 with v7.2. I have read in the command reference that, by default, the security appliance allows VPN traffic to terminate on a security appliance interface. And here is my question:
How can I disable that to filter the VPN traffic with my own access-list?
Regards, Fernando.
06-19-2007 01:43 AM
Hi Fernando,
To filter IPSec traffic using an interface access-list, you can use the following command:
no sysopt connection permit-vpn
check the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/s8_711.htm#wp1198155
I hope that this be of assistance to answer your question.
Kindest regards,
Shadi`
06-19-2007 02:00 AM
Hi Shadi,
Thanks for your answer but it is not correct. If you go to "Usage Guidelines" of "sysopt connection permit-vpn" you can read:
"You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands to create an access list and apply it to an interface. IMPORTANT!!! --> The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted."
So that if I disabled "sysopt connection permit-vpn" I will be able to filter the local IP assigned by the vpn_pool but not the real public IP of the client.
Regards, Fernando.
06-19-2007 03:07 AM
Hi Fernando,
This means that would like to filter VPN negotiations using an access-list?
If that is the situation you will not be able to do that as far as I know, you only can either receive all the negotiation requests or disable listening to IPSec negotiations on the specific interface.
K.Regards,
Shadi`
06-19-2007 03:18 AM
Hi Shadi,
Yes, it is and if you are in the right it is a bad news for me.
Anyway thanks for your interest.
Regards, Fernando.
06-20-2007 07:01 AM
Fernando,
You are wrong here. Shadi was right originally. All that IMPORTANT is telling you is if you are going to write access in your interface acl's, you use the pool address, not the clients public ip. But you will also have to allow isakamp, esp, nat-t etc. in your outside acl from the public ip of the client.
So, to disable vpn connections you can do "no sysopt conn permit-vpn" and allow specific access in your acls.
06-20-2007 10:49 AM
Hi acomiskey,
Obviously before answer to Shadi I tried his suggestion and I confirm that it works how I said.
Even more I have disabled ?sysopt permit connection-vpn? (using "no sysopt conn permit-vpn") and then have used the next access-list in the outside interface
access-list outside_in deny ip any any
access-list outside_in deny esp any any
access-list outside_in deny ahp any any
And the device (the ASA) still allows a vpn client to connect.
If you have some time try it, confirm by yourself and get surprised.
Regards, Fernando.
06-20-2007 11:00 AM
Fernando, I have tried this myself and have gotten much different results. I have to specifically allow iskmp, esp, nat-t etc. for me to connect a vpn tunnel. I guess we're both right.
And for the record, it appeared you were basing your suggestion upon the documentation quoted above.
06-20-2007 11:32 AM
Just tried it again and it allowed me to connect. I know at one point in time I had to allow the ports on another ASA. A bug maybe? Anyway, sorry for the confusion.
06-20-2007 11:49 PM
Hi acomiskey,
Thanks for your interest.
I don't know if it is a bug in v7.2 or not, I thought so, but then I read the "Command Reference" I came to the conclusion that it was the normal use of "no sysopt conn permit-vpn" and by that I am looking for another way to do it.
Kind Regards, Fernando.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: