How to selectivly block inbound ISAKMP /IPSEC to an ASA interface?

Unanswered Question
Dec 3rd, 2007

Have an ASA running v8, trying to figure out how to block inbound Cisco VPN client traffic to the external interface and only allow 1 block of public IP's to initate the connection. I have created access lists blocking all inbound traffic on the external interface, as well as the standard vpn ports with no luck, appears access lists have no impact on the external interface answering any isakmp/ipsec traffic. Is there a way to limit this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 12/03/2007 - 17:22

there is no way.

do you have any network devices *in front* of the ASA that could do this?

shave Mon, 12/03/2007 - 17:32

Thats what I thought... they don't own the edge device, plan b is they start matching client certs to meet their requirements...

anthony.king Tue, 12/04/2007 - 07:59

Actually there might be a way. Try issuing the command 'no sysopt connection permit-vpn'. That is supposed to force the incoming VPN connections to go through the ACLs. I haven't tried it before so I'm not sure if it works as advertised.

Make sure you have your ACL right first though.

shave Tue, 12/04/2007 - 09:19

Good thought, but box is accepting VPN connections with and without the sysopt connection permit-vpn command, may have to get a TAC case rolling on this, In past experience that has always worked to block inbound vpn connections.

srue Tue, 12/04/2007 - 10:36

sysopt connection permit-vpn only matters once a vpn has been established. its purpose is to bypass interface acl checking for encrypted traffic.

trust me, there is no way to do what the OP wants, with just the ASA.

isakmp also by default bypasses external acl checking. it's all or nothing.

srue Tue, 12/04/2007 - 11:10

follow-up to my message above:

isakmp destined for the PIX/ASA, bypasses external acl checking...

isakmp *through* the appliance, must go through normal ACL checks.

Actions

This Discussion