How to filter L2L traffic to a PIX (or ASA)

Answered Question
Feb 7th, 2013

I've got a PIX running 7.2(4) with its outside interface on the Internet.  The only thing this PIX is doing is acting as the endpoint for an IPSEC LAN-to-LAN tunnel with an Internet-connected ASA on another network.

I'd like to filter inbound Internet traffic to this PIX so that only the designated ASA can attempt to establish an IPSEC connection -- in other words, I want to prevent any other device on the Internet from even being able to attempt to establish an IPSEC connection to the PIX.  As far as I know (and have seen), this can't be done with an access-list on the outside interface, since that access-list doesn't apply to traffic to the PIX itself.

So: is this possible, and if so how?

I have this problem too.
0 votes
Correct Answer by Jouni Forss about 1 year 2 months ago

Hi,

I dont know about PIX and the old software.

In the new software its possible to create and separate ACL to filter for example traffic which will prevent ISAKMP towards the local "outside" interface.

The new softwares lets you use the keyword "control-plane" in the "access-group" command

Heres a link for your reference on the Command Reference of 9.1 software level (not sure when the command parameter was introduced but I think its pretty new)

http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a1.html#wp1597389

Since you dont have an Internet router in between I guess you cant really block the Phase1 there either. Is there a possiblity that the ISP could do this for you?

EDIT: Stupid typos

- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (1 ratings)
Correct Answer
Jouni Forss Thu, 02/07/2013 - 11:57

Hi,

I dont know about PIX and the old software.

In the new software its possible to create and separate ACL to filter for example traffic which will prevent ISAKMP towards the local "outside" interface.

The new softwares lets you use the keyword "control-plane" in the "access-group" command

Heres a link for your reference on the Command Reference of 9.1 software level (not sure when the command parameter was introduced but I think its pretty new)

http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/a1.html#wp1597389

Since you dont have an Internet router in between I guess you cant really block the Phase1 there either. Is there a possiblity that the ISP could do this for you?

EDIT: Stupid typos

- Jouni

openspec Thu, 02/07/2013 - 12:15

Thanks for the quick (and helpful) response.  Unfortunately it looks like the control-plane option isn't available in 7.2(4).  This PIX will probably be upgraded to an ASA in the next few months, but until then we're stuck -- I might be able to get the ISP to filter that traffic, but I wouldn't want to rely on that anyway.

So if anyone has an answer that will work on 7.2(4) (or can authoritatively verify that it's impossible there), that would be much appreciated.  In the interim I've at least blocked ICMP to this PIX from all hosts other than the allowed peer.

(EDITED: To note that 7.2(4) actually doesn't support the control-plane option.)

openspec Thu, 02/07/2013 - 14:20

Looks like support for "control-plane" shows up by 8.0(4), so we may look at switching the PIX over to that release.

Actions

Login or Register to take actions

This Discussion

Posted February 7, 2013 at 11:46 AM
Stats:
Replies:3 Avg. Rating:
Views:171 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446