Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Silver

IPSec site-2-site VPN on ASA5510

I have an ASA5510 running 8.2.1 code for site-2-site VPN.

I want to establish VPN between this ASA5510 and a remote peer which is a Cisco 1841 which has an external IP address of 1.2.3.4

I would like to be to allow ONLY IP address 1.2.3.4 to establish VPN peer with the ASA 5510. Any other IP address will not be

allowed.

on the ASA I allow this (a.b.c.d) is the outside address of the ASA 5510:

no sysopt connection permit-vpn

crypto isakmp identity address

crypto isakmp enable outside

access-list outside_acl permit udp host 1.2.3.4 host a.b.c.d eq 500 log

access-list outside_acl permit udp host 1.2.3.4 host a.b.c.d eq 4500 log

access-list outside_acl permit esp host 1.2.3.4 host a.b.c.d log

access-list outside_acl deny udp any any eq 500 log

access-list outside_acl deny udp any any eq 4500 log

access-list outside_acl deny esp any any log

access-list outside_acl permit ip any any log

access-group outside_acl in interface outside

With this ACL on the outside interface, it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510.

Is it possible to stop other hosts besides 1.2.3.4 from initiating site-2-site VPN with my ASA 5510? Thanks in advance.

17 REPLIES
Community Member

Re: IPSec site-2-site VPN on ASA5510

Hi,

Do you have any kind of MPF inspection policy which use inspect ipsec-pass-thru ?

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1668213

What do you mean by "can also initiate VPN" ?

do you have isakmp and ipsec SA ?

regards

Silver

Re: IPSec site-2-site VPN on ASA5510

Not sure if you understand my question. I am terminating VPN on the ASA itself, not ipsec-pass-thu. I only want the 1841 to be able to establish VPN with me. Any other peers will not be able to establish VPN with the ASA5510.

For example, let say you have a Cisco 2600 with an ip address of 1.1.1.1 and you set up site-2-site vpn with the ASA5510 and that I also configure the VPN with the 2600. However, if you try to initiate VPN from the 2600, my "outside_acl" will block you from doing it.

This can be done easily with Cisco IOS. How about ASA?

Does that make sense?

Community Member

Re: IPSec site-2-site VPN on ASA5510

Hi,

Your sentence "it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510" makes me ask if you're using ipsec-pass-thru.

But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510.

regards

Community Member

Re: IPSec site-2-site VPN on ASA5510

Hi,

Your sentence "it seems like hosts other than 1.2.3.4 can also initiate VPN with my ASA5510" makes me ask if you're using ipsec-pass-thru.

But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510.

regards

Silver

Re: IPSec site-2-site VPN on ASA5510

"But with "no sysopt connection permit-vpn" command and your access-list only 1.2.3.4 would be able to initiate a connection to the ASA 5510."

That's what I thought as well but it was not the case. Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510 as well. How do I go about stopping this?

Community Member

Re: IPSec site-2-site VPN on ASA5510

Hi,

What do you mean by "Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510" ?

Do you have a SA four other hosts on your ASA ?

verify also that connection permit-vpn is really deactivated "show run all sysopt"

Regards

Community Member

Re: IPSec site-2-site VPN on ASA5510

Hi,

What do you mean by "Other hosts such as 5.6.7.8 can also initiate VPN connectivity to the ASA5510" ?

Do you have a SA four other hosts on your ASA ?

verify also that connection permit-vpn is really deactivated "show run all sysopt"

Regards

Silver

Re: IPSec site-2-site VPN on ASA5510

"Do you have a SA four other hosts on your ASA"

YES.

asa0n# show run all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp external

no sysopt noproxyarp internal

asa0n#

Community Member

Re: IPSec site-2-site VPN on ASA5510

please issues commands on your ASA when others hosts are getting in : "show crypto isakmp sa"

"show crypto ipsec sa"

Can you also post the part of your config related to VPN.

Hosts can't get SA if they're not configured as peer and use the same shared key or certificate server.

regards

Green

Re: IPSec site-2-site VPN on ASA5510

sysopt connection permit-vpn only deals with ipsec traffic after the tunnel is established. It has nothing to do with what peer can attempt a connection. I would recommend using an access list in an outside router if you have one to restrict vpn traffic from 1.2.3.4 only.

Silver

Re: IPSec site-2-site VPN on ASA5510

If I understand correctly, this feature "is" available on Cisco IOS router but NOT on ASA appliances? Is that a fair statement?

If that is a correct statement, it is basically states that if I put my ASA appliances facing the Internet and if there is a vulnerability in IKE exchange, then someone could potentially take down the ASA appliance because the device can NOT protect itself from some other hosts initiate ISAKMP to it, whereas if I am using VPN on a Cisco device, I can apply ACL on the external interface to protect it.

Is that an accurate statement?

Community Member

Re: IPSec site-2-site VPN on ASA5510

Sorry but not agreed with acomiskey,

For incoming ipsec traffic "sysopt connection permit-vpn" allow to bypass the acl on the interface where the traffic comes so you don't need to permit IKE and ESP in your ACL.

then if you issue a "no sysopt connection permit-vpn" and you don't configure an acl with permission for esp and isakmp, your ASA won't reply to any incoming ipsec traffic even all vpn configuration are well configured in the ASA.

So with "no sysopt connection permit-vpn"

and your ACL only host allowed in the ACL will be allowed to negotiate a VPN session.

I would be interested to see your "show crypto" result that proves that other hosts can getting in.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1042105

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Green

Re: IPSec site-2-site VPN on ASA5510

Sorry amadoutoure but that is not true.

"no sysopt connection permit-vpn" will not prevent you from connecting via vpn. It will only prevent you from going anywhere after you have connected.

Community Member

Re: IPSec site-2-site VPN on ASA5510

Sorry but not agreed with acomiskey,

For incoming ipsec traffic "sysopt connection permit-vpn" allow to bypass the acl on the interface where the traffic comes so you don't need to permit IKE and ESP in your ACL.

then if you issue a "no sysopt connection permit-vpn" and you don't configure an acl with permission for esp and isakmp, your ASA won't reply to any incoming ipsec traffic even all vpn configuration are well configured in the ASA.

So with "no sysopt connection permit-vpn"

and your ACL only host allowed in the ACL will be allowed to negotiate a VPN session.

I would be interested to see your "show crypto" result that proves that other hosts can getting in.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1042105

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Green

Re: IPSec site-2-site VPN on ASA5510

Test it and you will see :-)

Silver

Re: IPSec site-2-site VPN on ASA5510

How can I resolve my issue WITHOUT any ACL on the upstream router?

Community Member

Re: IPSec site-2-site VPN on ASA5510

sorry my browser hanged and repeated my post...

I tested it and acomiskey is true...the PIX (dynamips) still accept incoming vpn connection even when "no sysopt connection permit-vpn" is issued and no access-list is configured on lower level interface.

hummmm always learning something ....

Regards

430
Views
0
Helpful
17
Replies
CreatePlease to create content