Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Disable ASA IPSEC over UDP

Hi,

Anyone can advise on how to disable ASA VPN firewall IPSEC over UDP ? i just want the VPN user to connect with IPSEC over TCP port 10000. i have tried to configured, but users still be able to connect with both IPSEC over UDP, as well as IPSEC over TCP.

Thanks in advance.

8 REPLIES
Super Bronze

Re: Disable ASA IPSEC over UDP

Under group-policy, you can disable ipsec-udp as follows:

group-policy NEO-RWG-NSC attributes

     ipsec-udp disable

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/i3.html#wp1841317

Hope that helps.

New Member

Re: Disable ASA IPSEC over UDP

Thanks in the info, but i've tried the command, i still be able to get connected with IPSEC over UDP. Any other idea ?

Super Bronze

Re: Disable ASA IPSEC over UDP

Also the nat-traversal to be disable:

no crypto isakmp nat-traversal 20

Hope that disable all the UDP encapsulation.

New Member

Re: Disable ASA IPSEC over UDP

I've tried the suggested command, i'm still be able to get connected with IPSEC over UDP, appreciate if there are any further suggestion and ideas.

Thanks.

Super Bronze

Re: Disable ASA IPSEC over UDP

Can you please advise which UDP port is the user connected to? and does the user fall under the "NEO-RWG-NSC" group policy, or any other groups?

Please share the output of the following when user is connected on UDP ports:

show vpn-sessiondb remote filter name

Cisco Employee

Re: Disable ASA IPSEC over UDP

I think you need to define IPSEC over UDP.  ipsec over udp (port 10000) is usually blocked by default.

If you are referring to be able to use ISAKMP (UDP port 500) and nat-traversal (udp port 4500) - there is no way to 'block' access to those ports once isakmp is enabled short of putting an access-list on the control plane of the ASA.  (access-group in interface control-plane)


However, even IPSEC over TCP  needs ISAKMP for initial negotiation (and possibly keepalives/DPD as well), so you can't block port 500.  I suppose it is technically possible to block ESP in that access-list on the control plane  (so that you would either have to be encapsulated at TCP or UDP if using nat-traversal at that point), but potentially someone using nat-traversal could still connect and use the VPN.  You *could* disable nat-traversal and use the access-list on the control plane to block ESP packets, but I don't think users behind NAT would work at that point even if they're using TCP.

--Jason

Cisco Employee

Re: Disable ASA IPSEC over UDP

I agreed with Jason, I just forgot that the crypto command does not have a filtering option (going to the device)

With the suggestions that Jason added, I could only imagine a design like this:

A router in the front doing a one to one translation for the VPN endpoint (ASA), and then permit just the TCP port 10000 (default of IPSec Over TCP) and also the port UDP 500. ESP packets and port 4500 should be blocked.

Is very funny that IPSEC over TCP is not a full implementation since is uses the keepalives in port udp 500.

Just to confirm I did a LAB and all the initial negotiation uses the TCP port.

Anyway I think that some users are still allowed to connect but all the traffic will be dropped.

The other possible solution is to use clients with the UDP option disabled; maybe you can customize the client or use the Cisco code to add that functionality.

IPsec over TCP is a CISCO implementation, I do not see a reason to disable the functionality of plain IPSEC, if you do not want to use UDP you can use a SSL solution (but even CISCO added a DTLS solution to use UDP). If there is a good reason to do not use the standard IPSEC you should write down all the details and contact a CISCO reseller/sales center to apply for the "enhancements".

JLSALAS
Cisco Employee

Re: Disable ASA IPSEC over UDP

What about if you disabled the sysopt connection permit-vpn, and open the outside ACL (access-group) permiting the port 10000 and also the VPN traffic?

3345
Views
1
Helpful
8
Replies