Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Disable isakmp on interfaces

Is there a way to disable isakmp on interfaces that don't need it? Other then writing ACLs? For example my IOS routers are responding to udp 500 on the inside interfaces, and I really only need it on the outside. Not a really big deal, but the auditors want everything not needed disabled. Are there any issues with doing this?

Thank You


Re: Disable isakmp on interfaces

Well on an IOS and PIX/ASA you enable ISAKMP on a per interface basis anyway - all other interface are disabled by default.

Does your audit define you to either lock down non used ports or disable unused services?

As if it's ports - you could run into a bit of a nightmare - I personally would ask for more clarification on the actual requirements.


Community Member

Re: Disable isakmp on interfaces

That is not what I'm seeing. It looks like the router is responding on port 500 with isakmp on all interfaces. There are no crypto statements that name interface or on any interface. I also don't see an cyrpto statement that says default.

I'm sure I'm missing something, but what?

The audit request is standard best practice... Disable unused services on all interfaces where possible and appropriate.

This may have to stay on, but just checking. It's nice to be as clean as possible.

Re: Disable isakmp on interfaces

What response do you get from the device on all ports - that indicates that it wants to start the isakmp negotiation process?

CreatePlease to create content