Disable ASA IPSEC over UDP

Unanswered Question
Jul 1st, 2010
User Badges:

Hi,


Anyone can advise on how to disable ASA VPN firewall IPSEC over UDP ? i just want the VPN user to connect with IPSEC over TCP port 10000. i have tried to configured, but users still be able to connect with both IPSEC over UDP, as well as IPSEC over TCP.


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
benghock Fri, 07/02/2010 - 00:15
User Badges:

Thanks in the info, but i've tried the command, i still be able to get connected with IPSEC over UDP. Any other idea ?

Jennifer Halim Fri, 07/02/2010 - 01:35
User Badges:
  • Cisco Employee,

Also the nat-traversal to be disable:


no crypto isakmp nat-traversal 20


Hope that disable all the UDP encapsulation.

benghock Fri, 07/02/2010 - 02:23
User Badges:

I've tried the suggested command, i'm still be able to get connected with IPSEC over UDP, appreciate if there are any further suggestion and ideas.


Thanks.

Jennifer Halim Fri, 07/02/2010 - 02:27
User Badges:
  • Cisco Employee,

Can you please advise which UDP port is the user connected to? and does the user fall under the "NEO-RWG-NSC" group policy, or any other groups?


Please share the output of the following when user is connected on UDP ports:

show vpn-sessiondb remote filter name

Jason Gervia Mon, 07/05/2010 - 06:09
User Badges:
  • Cisco Employee,

I think you need to define IPSEC over UDP.  ipsec over udp (port 10000) is usually blocked by default.


If you are referring to be able to use ISAKMP (UDP port 500) and nat-traversal (udp port 4500) - there is no way to 'block' access to those ports once isakmp is enabled short of putting an access-list on the control plane of the ASA.  (access-group in interface control-plane)


However, even IPSEC over TCP  needs ISAKMP for initial negotiation (and possibly keepalives/DPD as well), so you can't block port 500.  I suppose it is technically possible to block ESP in that access-list on the control plane  (so that you would either have to be encapsulated at TCP or UDP if using nat-traversal at that point), but potentially someone using nat-traversal could still connect and use the VPN.  You *could* disable nat-traversal and use the access-list on the control plane to block ESP packets, but I don't think users behind NAT would work at that point even if they're using TCP.


--Jason

Jorge Salas Mon, 07/05/2010 - 09:31
User Badges:
  • Cisco Employee,


I agreed with Jason, I just forgot that the crypto command does not have a filtering option (going to the device)

With the suggestions that Jason added, I could only imagine a design like this:

A router in the front doing a one to one translation for the VPN endpoint (ASA), and then permit just the TCP port 10000 (default of IPSec Over TCP) and also the port UDP 500. ESP packets and port 4500 should be blocked.

Is very funny that IPSEC over TCP is not a full implementation since is uses the keepalives in port udp 500.

Just to confirm I did a LAB and all the initial negotiation uses the TCP port.

Anyway I think that some users are still allowed to connect but all the traffic will be dropped.

The other possible solution is to use clients with the UDP option disabled; maybe you can customize the client or use the Cisco code to add that functionality.

IPsec over TCP is a CISCO implementation, I do not see a reason to disable the functionality of plain IPSEC, if you do not want to use UDP you can use a SSL solution (but even CISCO added a DTLS solution to use UDP). If there is a good reason to do not use the standard IPSEC you should write down all the details and contact a CISCO reseller/sales center to apply for the "enhancements".

JLSALAS
Jorge Salas Fri, 07/02/2010 - 20:37
User Badges:
  • Cisco Employee,

What about if you disabled the sysopt connection permit-vpn, and open the outside ACL (access-group) permiting the port 10000 and also the VPN traffic?

Actions

This Discussion