Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA responds to ISAKMP from any host

If site-2-site ipsec tunnels are configured, ASA5510 responds to UDP/500 packets coming from ANY host, not only pre-configured tunnel end-points. This is contradictious to organization's security policy. How to prevent such behavior? Notes: 1) only static tunnels are configured (no dynamic entries exist in crypto map) 2) identity check is set to ip address only 3) ACL does not help, as UDP/500 does not reach ACL 4) agressive mode is disabled 5) PSK are used 6) different images tested (7.2 - 8.3) 7) we haven't noticed a similar behavior for PIX515, but we will check this one more time I will be really thankful for any useful idea how to close this security hole. Best regards to everybody, Aigars

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA responds to ISAKMP from any host

Hi,

The ASA will respond to ISAKMP packets but only authorized IPs will be able to establish an IPsec tunnel (L2L tunnels configured only).

If you want to restrict the ASA from responding to UDP/500 packets, you can use an ACL on the interface terminating the tunnel with the control-plane keyword on the access-group command.

This will enforce the ACL to filter traffic not only through the ASA, but to the ASA as well, and you can allow ISAKMP only from the permitted hosts.

Federico.

2 REPLIES

Re: ASA responds to ISAKMP from any host

Hi,

The ASA will respond to ISAKMP packets but only authorized IPs will be able to establish an IPsec tunnel (L2L tunnels configured only).

If you want to restrict the ASA from responding to UDP/500 packets, you can use an ACL on the interface terminating the tunnel with the control-plane keyword on the access-group command.

This will enforce the ACL to filter traffic not only through the ASA, but to the ASA as well, and you can allow ISAKMP only from the permitted hosts.

Federico.

New Member

Re: ASA responds to ISAKMP from any host

Thanks for the information, this helped, and was really useful!

This was the thing I did not know...

Aigars

475
Views
0
Helpful
2
Replies
CreatePlease to create content