topic Have you tried blocking it at in Network Security

How do I block IP addresses from trying to establish VPN tunnel with my ASA?

rweir0001 — Tue, 12 Mar 2019 06:34:52 GMT

I frequently receive logs from my ASA that indicate random IP addresses are trying to establish a VPN tunnel with it:

ASA-4-713903
ASA-3-713902

Possible unexpected behavior of a peer occured (e.g., loss of connectivity).

Group = DefaultRAGroup, IP = xxx.xxx.6.191, Error: Unable to remove PeerTblEntry

Possible configuration error on either the headend or remote access client.

Group = DefaultRAGroup, IP = xxx.xxx.6.191, Removing peer from peer table failed, no match!

I have created rules blocking ISAKMP (udp/port 500) and udp/port 4500 for IKE negotiations but I still receive these logs. In addition I have blocked several other protocols because I just don't want these IP addresses reaching my ASA at all such as esp (protocol 50), ALL ICMP traffic, IP, and http/https. I just added AH (protocol 51) as well because I noticed that it was missing. If adding AH DOESN'T resolve the issue then what else do I need to block in order to prevent these IP addresses from trying to establish a VPN tunnel?

Have you tried blocking it at

Josh Sprang — Thu, 10 Sep 2015 19:06:43 GMT

Have you tried blocking it at the control plane. I would give that a shot. Or figure out the remote side IP and try to contact them...

access-list cp-outside deny udp host xxxx.xxxx.6.191 any eq 4500

access-list cp-outside deny udp host xxxx.xxxx.6.191 any eq 500

access-list cp-outside deny esp host xxxx.xxxx.6.191 any

access-list cp-outside permit ip any any

access-group cp-outside in interface outside control-plane

I think you need to add the

Andres Vega — Thu, 10 Sep 2015 19:09:50 GMT

I think you need to add the control-plane keyword at the end of your Access-group statement.

An access-group without the keyword control-plane will filter ASA traffic pass-trough , if you want to filter traffic that hits ASA interface, i mean destined to the WAN interface or whatever interface you have to add the keyword.

Here it is, the Cisco ASA configuration guide

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_rules.html#wp1086731

e.g

Outside interface ip address: y.y.y.y
External ip address allowed to establish connection against the ASA: x.x.x.x

access-list Outside_ACL permit udp host x.x.x.x eq 500 host y.y.y.y eq 500
access-group Outside_ACL in interface outside control-plane

I think this could be a guide how should it be configured. by the way be careful about the acl implicit deny, if you are connecting to the ASA using the outside interface, you need to permit your public ip address.

Regards,

Andres

Thanks for the clarification.

rweir0001 — Mon, 14 Sep 2015 13:37:35 GMT

Thanks for the clarification. I have blocked the tunnel traffic from the offending IP addresses on the control-plane and it looks like it has worked.

Thank you. Blocking the

rweir0001 — Mon, 14 Sep 2015 13:38:14 GMT

Thank you. Blocking the offending traffic on the control-plane has worked.

Re: How do I block IP addresses from trying to establish VPN tunnel wi

mistertom — Fri, 17 May 2024 19:15:19 GMT

See the following Cisco Support document that shows how to do this with examples. Important that you likely need to follow the directions to use `clear connection address ...` to force the ASA to re-evaluate IKE/isakmp connection attempts from the address denied in your control-plane access-list.

Configure Control Plane Access Control Policies for Secure Firewall Threat Defense and ASA - Cisco

Re: Thank you. Blocking the

prasadmeka — Fri, 15 Nov 2024 17:29:25 GMT

Did you applied the seperate access-list created for the control plane traffic to external interface?? Because on the external interface you should already have existing access-group for the inbound traffic right?