Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restrict certain IP addresses for establishing IPSec

Is it possible on Cisco ASA 55xx to restrict (to filter) certain public IP addresses which would be THE ONLY addresses able to establish Remote Access IPSec VPN using Cisco VPN client? Let's assume that Cisco VPN client establishes VPN connection from fix public IP address (always the same).

So, I am not talking about ACL actions on VPN traffic. I'm asking about establishing IPSec tunnel and preventing some public IPs of even trying that.

Thanks.

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Restrict certain IP addresses for establishing IPSec

Hi Ivan,

You may use control-plane access-list to filter the VPN connections to the ASA by blocking UDP 500.

For example:

ciscoasa(config)# access-list FILTER-VPN deny udp host host   eq 500

ciscoasa(config)# access-list FILTER-VPN permit ip any any

ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane

Regards.

----
Mashal Shboul

-------

Edit: Didn't see Marcins' reply

Message was edited by: Mashal Alshboul

------------------ Mashal Shboul
4 REPLIES
Cisco Employee

Restrict certain IP addresses for establishing IPSec

bsns-asa5505-19(config)# access-group IN in interface outside ?

configure mode commands/options:

  control-plane      Specify if rule is for to-the-box traffic

For example from:

http://blog.ipexpert.com/2011/01/05/asa-control-plane-access-list/

I'm not saying it's a smart thing to do, but it's a possibilty...

Cisco Employee

Re: Restrict certain IP addresses for establishing IPSec

Hi Ivan,

You may use control-plane access-list to filter the VPN connections to the ASA by blocking UDP 500.

For example:

ciscoasa(config)# access-list FILTER-VPN deny udp host host   eq 500

ciscoasa(config)# access-list FILTER-VPN permit ip any any

ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane

Regards.

----
Mashal Shboul

-------

Edit: Didn't see Marcins' reply

Message was edited by: Mashal Alshboul

------------------ Mashal Shboul
New Member

Restrict certain IP addresses for establishing IPSec

Hi,

thanks for the answer. That will do just fine.

If I put ssh 0 0 outside the mgmt traffic will still be able to hit outside interface even it is not permited in FILTER-VPN cp acl, right? I read that it takes precedence over cp acl.

Regards

Cisco Employee

Re: Restrict certain IP addresses for establishing IPSec

Hi Ivan,

Yes, the "ssh 0 0 outside" overrides the control-plane ACL and allows the SSH connections to the ASA.

Actually this statement creates  the following implicit ACL to permit the SSH traffic:

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x732d57e8, priority=121, domain=permit, deny=false

        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=22, dscp=0x0

        input_ifc=outside, output_ifc=identity

Hope this helps

---
Mashal Shboul

------------------ Mashal Shboul
1762
Views
0
Helpful
4
Replies
This widget could not be displayed.