10-28-2009 05:57 PM - edited 03-11-2019 09:33 AM
I have an ASA5510 running 8.2.1 code for site-2-site VPN.
I want to establish VPN between this ASA5510 and a remote peer which is a Cisco 1841 which has an external IP address of 1.2.3.4
I would like to be to allow ONLY IP address 1.2.3.4 to establish VPN peer with the ASA 5510. Any other IP address will not be
allowed.
on the ASA I allow this (a.b.c.d) is the outside address of the ASA 5510:
no sysopt connection permit-vpn
crypto isakmp identity address
crypto isakmp enable outside
access-list outside_acl permit udp host 1.2.3.4 host a.b.c.d eq 500 log
access-list outside_acl permit udp host 1.2.3.4 host a.b.c.d eq 4500 log
access-list outside_acl permit esp host 1.2.3.4 host a.b.c.d log
access-list outside_acl deny udp any any eq 500 log
access-list outside_acl deny udp any any eq 4500 log
access-list outside_acl deny esp any any log
access-list outside_acl permit ip any any log
access-group outside_acl in interface outside
With this ACL on the outside interface, it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510.
Is it possible to stop other hosts besides 1.2.3.4 from initiating site-2-site VPN with my ASA 5510? Thanks in advance.
10-28-2009 06:43 PM
Hi,
Do you have any kind of MPF inspection policy which use inspect ipsec-pass-thru ?
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1668213
What do you mean by "can also initiate VPN" ?
do you have isakmp and ipsec SA ?
regards
10-28-2009 06:51 PM
Not sure if you understand my question. I am terminating VPN on the ASA itself, not ipsec-pass-thu. I only want the 1841 to be able to establish VPN with me. Any other peers will not be able to establish VPN with the ASA5510.
For example, let say you have a Cisco 2600 with an ip address of 1.1.1.1 and you set up site-2-site vpn with the ASA5510 and that I also configure the VPN with the 2600. However, if you try to initiate VPN from the 2600, my "outside_acl" will block you from doing it.
This can be done easily with Cisco IOS. How about ASA?
Does that make sense?
10-28-2009 07:46 PM
Hi,
Your sentence "it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510" makes me ask if you're using ipsec-pass-thru.
But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510.
regards
10-28-2009 07:54 PM
Hi,
Your sentence "it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510" makes me ask if you're using ipsec-pass-thru.
But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510.
regards
10-29-2009 03:03 AM
"But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510."
That's what I thought as well but it was not the case. Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510 as well. How do I go about stopping this?
10-29-2009 05:46 AM
Hi,
What do you mean by "Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510" ?
Do you have a SA four other hosts on your ASA ?
verify also that connection permit-vpn is really deactivated "show run all sysopt"
Regards
10-29-2009 06:02 AM
Hi,
What do you mean by "Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510" ?
Do you have a SA four other hosts on your ASA ?
verify also that connection permit-vpn is really deactivated "show run all sysopt"
Regards
10-29-2009 06:11 AM
"Do you have a SA four other hosts on your ASA"
YES.
asa0n# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp external
no sysopt noproxyarp internal
asa0n#
10-29-2009 06:37 AM
please issues commands on your ASA when others hosts are getting in : "show crypto isakmp sa"
"show crypto ipsec sa"
Can you also post the part of your config related to VPN.
Hosts can't get SA if they're not configured as peer and use the same shared key or certificate server.
regards
10-29-2009 06:42 AM
sysopt connection permit-vpn only deals with ipsec traffic after the tunnel is established. It has nothing to do with what peer can attempt a connection. I would recommend using an access list in an outside router if you have one to restrict vpn traffic from 1.2.3.4 only.
10-29-2009 07:12 AM
If I understand correctly, this feature "is" available on Cisco IOS router but NOT on ASA appliances? Is that a fair statement?
If that is a correct statement, it is basically states that if I put my ASA appliances facing the Internet and if there is a vulnerability in IKE exchange, then someone could potentially take down the ASA appliance because the device can NOT protect itself from some other hosts initiate ISAKMP to it, whereas if I am using VPN on a Cisco device, I can apply ACL on the external interface to protect it.
Is that an accurate statement?
10-29-2009 08:32 AM
Sorry but not agreed with acomiskey,
For incoming ipsec traffic "sysopt connection permit-vpn" allow to bypass the acl on the interface where the traffic comes so you don't need to permit IKE and ESP in your ACL.
then if you issue a "no sysopt connection permit-vpn" and you don't configure an acl with permission for esp and isakmp, your ASA won't reply to any incoming ipsec traffic even all vpn configuration are well configured in the ASA.
So with "no sysopt connection permit-vpn"
and your ACL only host allowed in the ACL will be allowed to negotiate a VPN session.
I would be interested to see your "show crypto" result that proves that other hosts can getting in.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1042105
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
10-29-2009 08:44 AM
Sorry amadoutoure but that is not true.
"no sysopt connection permit-vpn" will not prevent you from connecting via vpn. It will only prevent you from going anywhere after you have connected.
10-29-2009 08:44 AM
Sorry but not agreed with acomiskey,
For incoming ipsec traffic "sysopt connection permit-vpn" allow to bypass the acl on the interface where the traffic comes so you don't need to permit IKE and ESP in your ACL.
then if you issue a "no sysopt connection permit-vpn" and you don't configure an acl with permission for esp and isakmp, your ASA won't reply to any incoming ipsec traffic even all vpn configuration are well configured in the ASA.
So with "no sysopt connection permit-vpn"
and your ACL only host allowed in the ACL will be allowed to negotiate a VPN session.
I would be interested to see your "show crypto" result that proves that other hosts can getting in.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1042105
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: