Re: Disable isakmp on interfaces

jeff.cook · ‎09-01-2009

Is there a way to disable isakmp on interfaces that don't need it? Other then writing ACLs? For example my IOS routers are responding to udp 500 on the inside interfaces, and I really only need it on the outside. Not a really big deal, but the auditors want everything not needed disabled. Are there any issues with doing this?

Thank You

andrew.prince · ‎09-01-2009

Well on an IOS and PIX/ASA you enable ISAKMP on a per interface basis anyway - all other interface are disabled by default.

Does your audit define you to either lock down non used ports or disable unused services?

As if it's ports - you could run into a bit of a nightmare - I personally would ask for more clarification on the actual requirements.

HTH>

jeff.cook · ‎09-01-2009

That is not what I'm seeing. It looks like the router is responding on port 500 with isakmp on all interfaces. There are no crypto statements that name interface or on any interface. I also don't see an cyrpto statement that says default.

I'm sure I'm missing something, but what?

The audit request is standard best practice... Disable unused services on all interfaces where possible and appropriate.

This may have to stay on, but just checking. It's nice to be as clean as possible.

andrew.prince · ‎09-02-2009

What response do you get from the device on all ports - that indicates that it wants to start the isakmp negotiation process?