Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
5
Helpful
8
Replies

EVE-NG Lab with ASAv Control-Plane blocking

irbk
Level 1
Level 1

‎07-28-2023 08:27 AM

I've gotten a chance to build a lab in EVE-NG to test out control-plane blocking and make sort of a "poor mans geoblocking".  End result is I want to block IP's from Russia, China, etc, that have no business trying to hit my SSLVPN.  Currently, I Shun any IP's that attempt it but you can only do a specific IP with Shun, you can't do any subnets.  I've seen a lot about the Control-Plane access list but I'm a bit hesitant to do so as I don't want to accidently block my own access to the ASA.  After getting Eve-NG up and running a lab for me, I'm able to play with this setup without fear of breaking anything in production.  However, the lab isn't a one-for-one.  I'm only able to run an ASAv in the lab.  Can't seem to emulate a regular ASA like mine, so I'm not 100% sure of the differences between what I'm going to see in the lab and what I'm going to see in production.  

So here is the situation.  

I've created an control-plane access list called "BlackList".  My lab currently has 3 "sites".  Site 2 is setup to connect with a VPN to Site 1 (site 1 is where the ASA sits) and the VPN connects without issue.  This is to simulate our VPN connections to other places and make sure my control-plane list doesn't bork any of them.  Site 3 is set up with a VPN connection to site 1, but site 1 has no corresponding configuration.  This is to simulate the random IPSec tunnels that try to connect.  I've put the subnet of site 3 into the BlackList group.

What I expect to happen: Site 3 is always trying to establish a IPSec VPN.  I add site 3 to the BlackList and rather than seeing incoming IPSec vpn tunnels trying to establish, I'll see Denys in the log shortly after I hit "apply".  

What actually happens: I continue to see site 3 coming in as attempted IPSec VPN connections.  

Now, I know my rules work.  If I stop Site 3 from trying to establish the IPSec VPN for a few minutes, long enough to see the log tell me it's tearing down the UDP connection, then turn the VPN from site 3 back on, with no changes to the ASA at Site 1, I see Denys in the log and not the attempted IPSec VPN connection.  So the rule works but only after that UDP session is cleared.  Is this "normal" or is it just because it's in a lab?  Obviously in a live environment, I can't stop the incoming IPSec VPN session long enough for the ASA to teardown the session so it re-evaluates rules.  

Labels:
0 Helpful
8 Replies 8

irbk
Level 1
Level 1

‎07-28-2023 08:37 AM

I just thought "I wonder if I could shun the IP, which would immediately block it, then remove the shun to let the control-plane access-list do it's thing".  This did indeed work.  Not as easy as I would have hopped (would hope just adding the IP to the BlackList would be enough) but not horrible.  The other way around (taking an IP off the BlackList) seems to work pretty much instantly.

MHM Cisco World
VIP
VIP
In response to irbk

‎07-28-2023 08:48 AM

Hmm' 

Permit ip any any log for control plane acl

Then check log see ip want to access 

Shun this IP

Add subnet of these IP to control plane acl

That I see is workaround way (not best way)

irbk
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2023 09:42 AM

That definitely works, as I said earlier, just not what I would have expected and wasn't sure if this was "normal"

MHM Cisco World
VIP
VIP
In response to irbk

‎07-28-2023 09:51 AM

There is no other solution.

But I have idea why you not change ssl  port ftom 443 to be 4443 or 4433 i.e. port that unknow this way you can get rid the unknow ip want to access your asa.

0 Helpful

irbk
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2023 10:21 AM

It's not just SSL VPN I'm looking to limit.  It's all the control-plane access.  If this is "normal" behavior, that's fine.  I just want to determine if this is "normal" or if this behavior would only be experienced in a lab.

Georg Pauwen
VIP
VIP

‎07-28-2023 10:16 AM

Hello,

from what I understand you are trying to limit external VPN access ? Have you tried vpn-filters in combination with group policies ?

The link below provides an example:

https://www.stigviewer.com/stig/cisco_asa_firewall/2021-03-15/finding/V-239854

0 Helpful

irbk
Level 1
Level 1
In response to Georg Pauwen

‎07-28-2023 10:18 AM

Not just VPN access, IPSec connections, SSLVPN connections, access to the SSLVPN website, really anything that's would fall into control-plane access.

Georg Pauwen
VIP
VIP
In response to irbk

‎07-31-2023 01:01 AM

Hello,

the filter lets you specify specific ports (e.g. 443 for SSLVPN, 500 for IPSec, etc.)...so basically you can block anything you want.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card