Anyone can advise on how to disable ASA VPN firewall IPSEC over UDP ? i just want the VPN user to connect with IPSEC over TCP port 10000. i have tried to configured, but users still be able to connect with both IPSEC over UDP, as well as IPSEC over TCP.
I think you need to define IPSEC over UDP. ipsec over udp (port 10000) is usually blocked by default.
If you are referring to be able to use ISAKMP (UDP port 500) and nat-traversal (udp port 4500) - there is no way to 'block' access to those ports once isakmp is enabled short of putting an access-list on the control plane of the ASA. (access-group in interface control-plane)
However, even IPSEC over TCP needs ISAKMP for initial negotiation (and possibly keepalives/DPD as well), so you can't block port 500. I suppose it is technically possible to block ESP in that access-list on the control plane (so that you would either have to be encapsulated at TCP or UDP if using nat-traversal at that point), but potentially someone using nat-traversal could still connect and use the VPN. You *could* disable nat-traversal and use the access-list on the control plane to block ESP packets, but I don't think users behind NAT would work at that point even if they're using TCP.
I agreed with Jason, I just forgot that the crypto command does not have a filtering option (going to the device)
With the suggestions that Jason added, I could only imagine a design like this:
A router in the front doing a one to one translation for the VPN endpoint (ASA), and then permit just the TCP port 10000 (default of IPSec Over TCP) and also the port UDP 500. ESP packets and port 4500 should be blocked.
Is very funny that IPSEC over TCP is not a full implementation since is uses the keepalives in port udp 500.
Just to confirm I did a LAB and all the initial negotiation uses the TCP port.
Anyway I think that some users are still allowed to connect but all the traffic will be dropped.
The other possible solution is to use clients with the UDP option disabled; maybe you can customize the client or use the Cisco code to add that functionality.
IPsec over TCP is a CISCO implementation, I do not see a reason to disable the functionality of plain IPSEC, if you do not want to use UDP you can use a SSL solution (but even CISCO added a DTLS solution to use UDP). If there is a good reason to do not use the standard IPSEC you should write down all the details and contact a CISCO reseller/sales center to apply for the "enhancements".
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...