Thank you for your response. I would like to take the question a step further:
Assume that I can NOT remove the PSK and "crypto map vpn 20" on the ASA. Are there any alternative to block 22.214.171.124 from establishing VPN to the ASA? Furthermore, are there any ways to block any hosts from establish VPN to the ASA other than host 126.96.36.199? For example, with the configuration I described, it CAN be done on the IOS router.
I am asking this is because if the ASA code has VPN vulnerabilities in the code itself, someone can perform a DOS or DDOS on the ASA because the ASA is designed to accept ISAKMP packet from EVERYWHERE, unlike IOS router, the ACL applies to the external interface of the router can prevent this.
Again I find the question very strange, why would you want to keep a PSK and a crypto map entry for a peer that you do not want to connect? It seems absurd...
Anyway, after thinking about this a bit more I realized that as of 8.0 you should be able to achieve what you want with CPP (control plane policing), i.e. the "control-plane" keyword in the "access-group" command, e.g.
access-group cciesec in interface outside control-plane
Assuming that 188.8.131.52 is ftp,smtp,dns,http/https servers, does it mean that anyone from Internet can connect to this host on these services, and that only host 184.108.40.206 can initiate isakmp to the ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...