Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2397
Views
5
Helpful
4
Replies

Simple acl to block VPN connection attempts

jessica jestol
Level 1
Level 1

‎09-13-2019 01:18 PM - edited ‎09-13-2019 02:38 PM

Need to block vpn connection attempts from a couple IPs. I tried the below access list but it didn't work. How can I drop the traffic before it tries to negotiate phase 1?

access-list cp-outside remark vpn block 1
access-list cp-outside deny udp host 10.10.10.10 any eq 4500
access-list cp-outside deny udp host 10.10.10.10 any eq 500
access-list cp-outside deny esp host 10.10.10.10 any
access-list cp-outside remark vpn block 2
access-list cp-outside deny udp host 11.11.11.11 any eq 4500
access-list cp-outside deny udp host 11.11.11.11 any eq 500
access-list cp-outside deny esp host 11.11.11.11 any
access-list cp-outside permit ip any any
access-group cp-outside in interface outside control-plane

 

WarningFW1 : Group = DefaultL2LGroup, IP = 10.10.10.10, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

 

edit: changed title to reflect most recent results

Labels:
0 Helpful
4 Replies 4

Sheraz.Salim
VIP
VIP

‎09-14-2019 02:33 AM - edited ‎09-14-2019 03:46 AM

actually I lab this up. where i configured a wrong pre-shared-key on my router vpn site.

(router vpn 195.200.1.2 and ASA vpn 200.1.5.2)

 

here is my lab access-list

access-list CP line 1 extended deny udp host 195.200.1.2 host 200.1.5.2 eq 4500 (hitcnt=0) 0x16d86c78
access-list CP line 2 extended deny udp host 195.200.1.2 host 200.1.5.2 eq isakmp (hitcnt=6) 0xe85a104b
access-list CP line 3 extended deny esp host 195.200.1.2 host 200.1.5.2 (hitcnt=0) 0x08163e8f

access-group CP in interface outside control-plan

!

%ASA-4-106023: Deny udp src outside:195.200.1.2/500 dst identity:200.1.5.2/500 by access-group "CP" [0xe85a104b, 0x0]
%ASA-7-710005: UDP request discarded from 195.200.1.2/500 to outside:200.1.5.2/500
%ASA-4-106023: Deny udp src outside:195.200.1.2/500 dst identity:200.1.5.2/500 by access-group "CP" [0xe85a104b, 0x0]
%ASA-7-710005: UDP request discarded from 195.200.1.2/500 to outside:200.1.5.2/500

!

 

 

 

======================================================================

you need to change the syntax on the firewall. let say your legitimate vpn is 12.12.12.12

 

 

access-list cp-out permit udp host 12.12.12.12 any eq 4500

access-list cp-out permit udp host 12.12.12.12 any eq 500

access-group cp-out in interface control-plan

 

 

control-plan syntax is to the traffic dest to the firewall.

=============================================================

 

I also noted you get this message.

WarningFW1 : Group = DefaultL2LGroup, IP = 10.10.10.10, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

 

this mean you hitting the default-group policy. by default the group policy is as below in ASA

!

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
ASA(config)#
ASA(config)# show run all | i DfltGrpPolicy
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
default-group-policy DfltGrpPolicy
default-group-policy DfltGrpPolicy
default-group-policy DfltGrpPolicy

 

 

as there is no pre-share-key is configured that why you getting a mis-math pre-shared-key error.

please do not forget to rate.
0 Helpful

jessica jestol
Level 1
Level 1
In response to Sheraz.Salim

‎09-14-2019 01:18 PM

Got it. Looks like I just need to tweak my ACL. And yes, I was showing the log message because I was trying to stop that IP from attempting to make a VPN connection. I no longer have the VPN configured on my ASA because it was for an old customer. I was just trying to keep my syslog from getting full with all the connection attempt messages.

0 Helpful

jessica jestol
Level 1
Level 1
In response to jessica jestol

‎09-26-2019 02:26 PM

I tried the ACL like this:

access-list cp-outside extended deny udp host 1.1.1.1 host 2.2.2.2 eq 4500
access-list cp-outside extended deny udp host 1.1.1.1 host 2.2.2.2 eq isakmp
access-list cp-outside extended deny esp host 1.1.1.1 host 2.2.2.2

Where 1.1.1.1 was the IP of the remote peer and 2.2.2.2 is my outside interface. It didn't work.

jessica jestol
Level 1
Level 1
In response to Sheraz.Salim

‎09-14-2019 01:29 PM

Hmmmm. Nope. Didn't work for me. To elaborate:

Remote IP to block: 1.1.1.1

My ASA 2.2.2.2

access-list cp-outside line 1 remark vpn block 1
access-list cp-outside line 2 extended deny udp host 1.1.1.1 host 2.2.2.2 eq 4500 (hitcnt=0) 0x7c87041e
access-list cp-outside line 3 extended deny udp host 1.1.1.1 host 2.2.2.2 eq isakmp (hitcnt=0) 0xed2beb7c
access-list cp-outside line 4 extended deny esp host 1.1.1.1 host 2.2.2.2 (hitcnt=0) 0x5df8421c

access-group cp-outside in interface outside control-plane

i am still seeing logging that the connection is being attempted. It fails because there is no VPN configuration for that remote IP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card