cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2132
Views
0
Helpful
6
Replies

How to selectivly block inbound ISAKMP /IPSEC to an ASA interface?

shave
Level 1
Level 1

Have an ASA running v8, trying to figure out how to block inbound Cisco VPN client traffic to the external interface and only allow 1 block of public IP's to initate the connection. I have created access lists blocking all inbound traffic on the external interface, as well as the standard vpn ports with no luck, appears access lists have no impact on the external interface answering any isakmp/ipsec traffic. Is there a way to limit this?

6 Replies 6

srue
Level 7
Level 7

there is no way.

do you have any network devices *in front* of the ASA that could do this?

Thats what I thought... they don't own the edge device, plan b is they start matching client certs to meet their requirements...

Actually there might be a way. Try issuing the command 'no sysopt connection permit-vpn'. That is supposed to force the incoming VPN connections to go through the ACLs. I haven't tried it before so I'm not sure if it works as advertised.

Make sure you have your ACL right first though.

Good thought, but box is accepting VPN connections with and without the sysopt connection permit-vpn command, may have to get a TAC case rolling on this, In past experience that has always worked to block inbound vpn connections.

sysopt connection permit-vpn only matters once a vpn has been established. its purpose is to bypass interface acl checking for encrypted traffic.

trust me, there is no way to do what the OP wants, with just the ASA.

isakmp also by default bypasses external acl checking. it's all or nothing.

follow-up to my message above:

isakmp destined for the PIX/ASA, bypasses external acl checking...

isakmp *through* the appliance, must go through normal ACL checks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: