If site-2-site ipsec tunnels are configured, ASA5510 responds to UDP/500 packets coming from ANY host, not only pre-configured tunnel end-points. This is contradictious to organization's security policy. How to prevent such behavior? Notes: 1) only static tunnels are configured (no dynamic entries exist in crypto map) 2) identity check is set to ip address only 3) ACL does not help, as UDP/500 does not reach ACL 4) agressive mode is disabled 5) PSK are used 6) different images tested (7.2 - 8.3) 7) we haven't noticed a similar behavior for PIX515, but we will check this one more time I will be really thankful for any useful idea how to close this security hole. Best regards to everybody, Aigars
The ASA will respond to ISAKMP packets but only authorized IPs will be able to establish an IPsec tunnel (L2L tunnels configured only).
If you want to restrict the ASA from responding to UDP/500 packets, you can use an ACL on the interface terminating the tunnel with the control-plane keyword on the access-group command.
This will enforce the ACL to filter traffic not only through the ASA, but to the ASA as well, and you can allow ISAKMP only from the permitted hosts.