How to selectivly block inbound ISAKMP /IPSEC to an ASA interface?

Unanswered Question
Dec 3rd, 2007
User Badges:

Have an ASA running v8, trying to figure out how to block inbound Cisco VPN client traffic to the external interface and only allow 1 block of public IP's to initate the connection. I have created access lists blocking all inbound traffic on the external interface, as well as the standard vpn ports with no luck, appears access lists have no impact on the external interface answering any isakmp/ipsec traffic. Is there a way to limit this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 12/03/2007 - 17:22
User Badges:
  • Blue, 1500 points or more

there is no way.


do you have any network devices *in front* of the ASA that could do this?

shave Mon, 12/03/2007 - 17:32
User Badges:

Thats what I thought... they don't own the edge device, plan b is they start matching client certs to meet their requirements...

anthony.king Tue, 12/04/2007 - 07:59
User Badges:

Actually there might be a way. Try issuing the command 'no sysopt connection permit-vpn'. That is supposed to force the incoming VPN connections to go through the ACLs. I haven't tried it before so I'm not sure if it works as advertised.


Make sure you have your ACL right first though.


shave Tue, 12/04/2007 - 09:19
User Badges:

Good thought, but box is accepting VPN connections with and without the sysopt connection permit-vpn command, may have to get a TAC case rolling on this, In past experience that has always worked to block inbound vpn connections.

srue Tue, 12/04/2007 - 10:36
User Badges:
  • Blue, 1500 points or more

sysopt connection permit-vpn only matters once a vpn has been established. its purpose is to bypass interface acl checking for encrypted traffic.

trust me, there is no way to do what the OP wants, with just the ASA.

isakmp also by default bypasses external acl checking. it's all or nothing.

srue Tue, 12/04/2007 - 11:10
User Badges:
  • Blue, 1500 points or more

follow-up to my message above:


isakmp destined for the PIX/ASA, bypasses external acl checking...

isakmp *through* the appliance, must go through normal ACL checks.

Actions

This Discussion