Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA Control Plane

Hello,

I'm attempting to limit what IP addreses can connect to an ASA using the SSL VPN. I would have thought control-plane policing would have worked, however it did not.

Here is what I configured:

access-list vpn_control extended permit tcp object-group allowed_clients interface outside

!

access-group vpn_control in interface outside control-plane

any suggestions would be appreciated.

Thanks!

18 REPLIES
Silver

ASA Control Plane

Please post more of the configuration and check logs to see what you are reporting, by any chance do you have http server enable, can you get me a show run http.

Check the following link that contains and explanation:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842

Note Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than an access list applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box access list.

Value our effort and rate the assistance!
VIP Green

Re: ASA Control Plane

The command you entered for the control plane is for traffic destined  for the ASA itself...but also VPN traffic will bypass the interface  ACLs as it is encrypted by default.

You could try to issue the command no sysopt connection permit-vpn this will require the ASA to check the SSL VPN traffic against the interface configured ACL

Please rate any helpful posts.

--

Please remember to rate and select a correct answer
Silver

ASA Control Plane

This would be for traffic through the ASA and not really to the ASA.

sysopt connection permit-vpn

The sysopt connection permit-ipsec command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. In PIX/ASA 7.1 and later, the sysopt connection permit-ipsec command is changed to sysopt connection permit-vpn. The vpn-filter is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.

Value our effort and rate the assistance!
VIP Green

ASA Control Plane

Yes I know, but it is a option none the less

--

Please remember to rate and select a correct answer

ASA Control Plane

Hello,

Agree, The option to go is the control-plane one.

As far as I am aware that should do it.

Example:

access-list outside-control-plane extended deny tcp host 1..1.1.1 x.x.x.x eq 443 (where x.x.x.x is the Out interface IP)


access-group outside-control-plane in interface outside control-plane

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Silver

ASA Control Plane

Check the following link that contains and explanation:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842

Note Access  control rules for to-the-box management traffic (defined by such  commands as http, ssh, or telnet) have higher precedence than an access  list applied with the control-plane option. Therefore, such permitted  management traffic will be allowed to come in even if explicitly denied  by the to-the-box access list.

Value our effort and rate the assistance!
VIP Green

ASA Control Plane

@ jumora - you are correct, however this is only applicable for managment traffic.  To me it sounds like Spagsterj wants to limit IPs that are able to initiate an SSL VPN session.  As PKI will exchange keys before any traffic is sent between the devices, the traffic will be encrypted when the actual connection is made and will therefore bypass the outside interface ACL by default.  So (unless my logic is completely off here) he will need to disable the ACL bypass for it to take effect.

--

Please remember to rate and select a correct answer
Silver

ASA Control Plane

That is the issue, the ASA does not distinguish this if it is SSL VPN or management, I work at TAC and escalated a ticket a couple of days due to this, it is also related to class type management that did not work for SSL traffic but did for SSH.

Believe me I know what I'm talking about.

Value our effort and rate the assistance!

ASA Control Plane

Hello Marius,

Agree with Juancito "loquillo" in this one as what the customer is trying to accomplish is filter who connects to the Firewall via SSL, not what traffic is allowed to go via the tunnel.

In this case the control-plane option is the suitable option.

Cheers to boh of you.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
VIP Green

ASA Control Plane

Hi Julio,

That is my understanding too.  I don't think I mentioned traffic filtering...or did I?   I will have a read through the posts and see. 

Anyway, I am wondering if perhaps the ACL assigned to the control plane is being bypassed due to the encryption, which is why I suggested trying to disable the interface ACL bypass by using the following command:

no sysopt connection permit-vpn


--

Please remember to rate and select a correct answer
Silver

ASA Control Plane

Ok, do you still need assistance?

Julio knows me and please believe me when I correct anyone it´s not to presume it´s because I want them to understand.

Customer to you still need assistance???

Value our effort and rate the assistance!
New Member

ASA Control Plane

Hello,

Has there been any change regarding filtering what source IP address can initiate an SSL connection to the ASA for VPN access?

New Member

Re: ASA Control Plane

Bbb

Sent from Cisco Technical Support iPhone App

VIP Green

ASA Control Plane

Do you still require assistance with this issue?  If not please rate the helpful posts.

--

Please remember to rate and select a correct answer
Silver

ASA Control Plane

If you rate we assist if not black list

Value our effort and rate the assistance!
New Member

ASA Control Plane

I'm having a problem which I think is described here.  I would essentially like to whitelist networks for ssl anyconnect vpn access.  I understand that the anyconnect client would attempt a connection to my outside interface on 443 and that it would be considered "to the box traffic" which would bypass the interface ACL's. I set up an acl to deny traffic from a specific test network to test the control plane option.  At first I tried 443 traffic and later expanded it to a deny any from the external network, but in either case I was still able to VPN to the asa from this test network using the anyconnect client.  I assume this has something to do with management traffic having priority and not distiguishing between managment traffic destined for /admin and ssl vpn connections.  However, I do not have the outside interface enabled as a management interface, so even that is a little puzzling.

access-list outside_access_in_1 extended deny ip object test_network any

access-list outside_access_in_1 extended permit ip any any

access-group outside_access_in_1 in interface outside control-plane

If I do a packet trace for 443 traffic from that network to my outside interface IP it does show the traffic passing and the ACL section specifically shows it passing via implicit rule...

Re: ASA Control Plane

Hello,

Let me work on this and Get back to you,

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

I had the same problem too

I had the same problem too and figured out a solution. The problem being the control plane ACL is not blocking traffic from hosts residing on the non whitelist networks. In other words there is no permit statement covering connection from the unwanted host but unwanted host are still able to bypass the ACL and make connection directly to the box/ASA.

access-list ssl2box extended permit object tcp-883 202.144.2.0 255.255.255.0 any 

access-group ssl2box in interface outside control-plane

To clarify a few things in my particular setup:

  • For webvpn ssl the ASA5505 is listening on non standard port (for example tcp/883)
  • For http server management (only allowed for access from hosts residing behind the internal interface) the firewall is listening on tcp/444
  • For my internal hosted site (sits behind ASA5505) I'm performing port forward (tcp/443) from outside interface IP to internal IP. 

What worked for me is adding in the explicit deny:

access-list ssl2box extended deny object tcp-883 any interface outside log 

Viewing the access list hits shows what happens when a connection attempt is made from an IP not permitted (i.e. not on the whitelist):

access-list ssl2box line 7 extended deny tcp any interface outside eq 883 log informational interval 300 (hitcnt=1) 0xb35c358c 

Strangely, implicit deny for the control-plane ACL did bugger all !

Interested to hear if this post has helped anyone..

4174
Views
14
Helpful
18
Replies
CreatePlease to create content