cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16482
Views
44
Helpful
19
Replies

ASA Control Plane

Spagsterj
Level 1
Level 1

Hello,

I'm attempting to limit what IP addreses can connect to an ASA using the SSL VPN. I would have thought control-plane policing would have worked, however it did not.

Here is what I configured:

access-list vpn_control extended permit tcp object-group allowed_clients interface outside

!

access-group vpn_control in interface outside control-plane

any suggestions would be appreciated.

Thanks!

19 Replies 19

jumora
Level 7
Level 7

Please post more of the configuration and check logs to see what you are reporting, by any chance do you have http server enable, can you get me a show run http.

Check the following link that contains and explanation:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842

Note Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than an access list applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box access list.

Value our effort and rate the assistance!

The command you entered for the control plane is for traffic destined  for the ASA itself...but also VPN traffic will bypass the interface  ACLs as it is encrypted by default.

You could try to issue the command no sysopt connection permit-vpn this will require the ASA to check the SSL VPN traffic against the interface configured ACL

Please rate any helpful posts.

--
Please remember to select a correct answer and rate helpful posts

This would be for traffic through the ASA and not really to the ASA.

sysopt connection permit-vpn

The sysopt connection permit-ipsec command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. In PIX/ASA 7.1 and later, the sysopt connection permit-ipsec command is changed to sysopt connection permit-vpn. The vpn-filter is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.

Value our effort and rate the assistance!

Yes I know, but it is a option none the less

--
Please remember to select a correct answer and rate helpful posts

Hello,

Agree, The option to go is the control-plane one.

As far as I am aware that should do it.

Example:

access-list outside-control-plane extended deny tcp host 1..1.1.1 x.x.x.x eq 443 (where x.x.x.x is the Out interface IP)


access-group outside-control-plane in interface outside control-plane

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Check the following link that contains and explanation:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842

Note Access  control rules for to-the-box management traffic (defined by such  commands as http, ssh, or telnet) have higher precedence than an access  list applied with the control-plane option. Therefore, such permitted  management traffic will be allowed to come in even if explicitly denied  by the to-the-box access list.

Value our effort and rate the assistance!

@ jumora - you are correct, however this is only applicable for managment traffic.  To me it sounds like Spagsterj wants to limit IPs that are able to initiate an SSL VPN session.  As PKI will exchange keys before any traffic is sent between the devices, the traffic will be encrypted when the actual connection is made and will therefore bypass the outside interface ACL by default.  So (unless my logic is completely off here) he will need to disable the ACL bypass for it to take effect.

--
Please remember to select a correct answer and rate helpful posts

That is the issue, the ASA does not distinguish this if it is SSL VPN or management, I work at TAC and escalated a ticket a couple of days due to this, it is also related to class type management that did not work for SSL traffic but did for SSH.

Believe me I know what I'm talking about.

Value our effort and rate the assistance!

Hello Marius,

Agree with Juancito "loquillo" in this one as what the customer is trying to accomplish is filter who connects to the Firewall via SSL, not what traffic is allowed to go via the tunnel.

In this case the control-plane option is the suitable option.

Cheers to boh of you.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

That is my understanding too.  I don't think I mentioned traffic filtering...or did I?   I will have a read through the posts and see. 

Anyway, I am wondering if perhaps the ACL assigned to the control plane is being bypassed due to the encryption, which is why I suggested trying to disable the interface ACL bypass by using the following command:

no sysopt connection permit-vpn


--
Please remember to select a correct answer and rate helpful posts

Ok, do you still need assistance?

Julio knows me and please believe me when I correct anyone it´s not to presume it´s because I want them to understand.

Customer to you still need assistance???

Value our effort and rate the assistance!

Hello,

Has there been any change regarding filtering what source IP address can initiate an SSL connection to the ASA for VPN access?

Bbb

Sent from Cisco Technical Support iPhone App

This appeared to work for me. Persistent SSL VPN connections attempts are now denied from the source IP.

Review Cisco Networking for a $25 gift card