ASA responds to ISAKMP from any host

Answered Question
Apr 21st, 2010

If site-2-site ipsec tunnels are configured, ASA5510 responds to UDP/500 packets coming from ANY host, not only pre-configured tunnel end-points. This is contradictious to organization's security policy. How to prevent such behavior? Notes: 1) only static tunnels are configured (no dynamic entries exist in crypto map) 2) identity check is set to ip address only 3) ACL does not help, as UDP/500 does not reach ACL 4) agressive mode is disabled 5) PSK are used 6) different images tested (7.2 - 8.3) 7) we haven't noticed a similar behavior for PIX515, but we will check this one more time I will be really thankful for any useful idea how to close this security hole. Best regards to everybody, Aigars

Correct Answer by Federico Coto F... about 6 years 10 months ago

Hi,


The ASA will respond to ISAKMP packets but only authorized IPs will be able to establish an IPsec tunnel (L2L tunnels configured only).


If you want to restrict the ASA from responding to UDP/500 packets, you can use an ACL on the interface terminating the tunnel with the control-plane keyword on the access-group command.


This will enforce the ACL to filter traffic not only through the ASA, but to the ASA as well, and you can allow ISAKMP only from the permitted hosts.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Thu, 04/22/2010 - 08:20

Hi,


The ASA will respond to ISAKMP packets but only authorized IPs will be able to establish an IPsec tunnel (L2L tunnels configured only).


If you want to restrict the ASA from responding to UDP/500 packets, you can use an ACL on the interface terminating the tunnel with the control-plane keyword on the access-group command.


This will enforce the ACL to filter traffic not only through the ASA, but to the ASA as well, and you can allow ISAKMP only from the permitted hosts.


Federico.

aigars Fri, 04/23/2010 - 02:46

Thanks for the information, this helped, and was really useful!

This was the thing I did not know...


Aigars

Actions

This Discussion

Related Content