cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1161
Views
0
Helpful
17
Replies

IPSec site-2-site VPN on ASA5510

cisco24x7
Level 6
Level 6

I have an ASA5510 running 8.2.1 code for site-2-site VPN.

I want to establish VPN between this ASA5510 and a remote peer which is a Cisco 1841 which has an external IP address of 1.2.3.4

I would like to be to allow ONLY IP address 1.2.3.4 to establish VPN peer with the ASA 5510. Any other IP address will not be

allowed.

on the ASA I allow this (a.b.c.d) is the outside address of the ASA 5510:

no sysopt connection permit-vpn

crypto isakmp identity address

crypto isakmp enable outside

access-list outside_acl permit udp host 1.2.3.4 host a.b.c.d eq 500 log

access-list outside_acl permit udp host 1.2.3.4 host a.b.c.d eq 4500 log

access-list outside_acl permit esp host 1.2.3.4 host a.b.c.d log

access-list outside_acl deny udp any any eq 500 log

access-list outside_acl deny udp any any eq 4500 log

access-list outside_acl deny esp any any log

access-list outside_acl permit ip any any log

access-group outside_acl in interface outside

With this ACL on the outside interface, it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510.

Is it possible to stop other hosts besides 1.2.3.4 from initiating site-2-site VPN with my ASA 5510? Thanks in advance.

17 Replies 17

Amadou TOURE
Level 1
Level 1

Hi,

Do you have any kind of MPF inspection policy which use inspect ipsec-pass-thru ?

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1668213

What do you mean by "can also initiate VPN" ?

do you have isakmp and ipsec SA ?

regards

Not sure if you understand my question. I am terminating VPN on the ASA itself, not ipsec-pass-thu. I only want the 1841 to be able to establish VPN with me. Any other peers will not be able to establish VPN with the ASA5510.

For example, let say you have a Cisco 2600 with an ip address of 1.1.1.1 and you set up site-2-site vpn with the ASA5510 and that I also configure the VPN with the 2600. However, if you try to initiate VPN from the 2600, my "outside_acl" will block you from doing it.

This can be done easily with Cisco IOS. How about ASA?

Does that make sense?

Hi,

Your sentence "it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510" makes me ask if you're using ipsec-pass-thru.

But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510.

regards

Hi,

Your sentence "it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510" makes me ask if you're using ipsec-pass-thru.

But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510.

regards

"But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510."

That's what I thought as well but it was not the case. Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510 as well. How do I go about stopping this?

Hi,

What do you mean by "Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510" ?

Do you have a SA four other hosts on your ASA ?

verify also that connection permit-vpn is really deactivated "show run all sysopt"

Regards

Hi,

What do you mean by "Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510" ?

Do you have a SA four other hosts on your ASA ?

verify also that connection permit-vpn is really deactivated "show run all sysopt"

Regards

"Do you have a SA four other hosts on your ASA"

YES.

asa0n# show run all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp external

no sysopt noproxyarp internal

asa0n#

please issues commands on your ASA when others hosts are getting in : "show crypto isakmp sa"

"show crypto ipsec sa"

Can you also post the part of your config related to VPN.

Hosts can't get SA if they're not configured as peer and use the same shared key or certificate server.

regards

sysopt connection permit-vpn only deals with ipsec traffic after the tunnel is established. It has nothing to do with what peer can attempt a connection. I would recommend using an access list in an outside router if you have one to restrict vpn traffic from 1.2.3.4 only.

If I understand correctly, this feature "is" available on Cisco IOS router but NOT on ASA appliances? Is that a fair statement?

If that is a correct statement, it is basically states that if I put my ASA appliances facing the Internet and if there is a vulnerability in IKE exchange, then someone could potentially take down the ASA appliance because the device can NOT protect itself from some other hosts initiate ISAKMP to it, whereas if I am using VPN on a Cisco device, I can apply ACL on the external interface to protect it.

Is that an accurate statement?

Sorry but not agreed with acomiskey,

For incoming ipsec traffic "sysopt connection permit-vpn" allow to bypass the acl on the interface where the traffic comes so you don't need to permit IKE and ESP in your ACL.

then if you issue a "no sysopt connection permit-vpn" and you don't configure an acl with permission for esp and isakmp, your ASA won't reply to any incoming ipsec traffic even all vpn configuration are well configured in the ASA.

So with "no sysopt connection permit-vpn"

and your ACL only host allowed in the ACL will be allowed to negotiate a VPN session.

I would be interested to see your "show crypto" result that proves that other hosts can getting in.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1042105

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Sorry amadoutoure but that is not true.

"no sysopt connection permit-vpn" will not prevent you from connecting via vpn. It will only prevent you from going anywhere after you have connected.

Sorry but not agreed with acomiskey,

For incoming ipsec traffic "sysopt connection permit-vpn" allow to bypass the acl on the interface where the traffic comes so you don't need to permit IKE and ESP in your ACL.

then if you issue a "no sysopt connection permit-vpn" and you don't configure an acl with permission for esp and isakmp, your ASA won't reply to any incoming ipsec traffic even all vpn configuration are well configured in the ASA.

So with "no sysopt connection permit-vpn"

and your ACL only host allowed in the ACL will be allowed to negotiate a VPN session.

I would be interested to see your "show crypto" result that proves that other hosts can getting in.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1042105

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: