Cisco ASA - Control-plane ACL not working

ROHIT SHARMA · ‎02-05-2020

I am trying to block IKE traffic incoming to the ASA using ACL applied on control-plane but it doesn't seem to block those requests.

Below is my config:

object-group network IPSEC_TUNNEL_IP
 network-object host 1.2.3.4
 network-object host 2.3.4.5

access-list IKE-FILTER extended deny icmp any host 11.1.1.1 
access-list IKE-FILTER extended permit udp object-group IPSEC_TUNNEL_IP host 11.1.1.1 eq isakmp 
access-list IKE-FILTER extended permit udp object-group IPSEC_TUNNEL_IP host 11.1.1.1 eq 4500 
access-list IKE-FILTER extended deny udp any host 11.1.1.1 eq isakmp 
access-list IKE-FILTER extended deny udp any host 11.1.1.1 eq 4500

access-group IKE-FILTER in interface outside control-plane
access-group outside_in in interface outside

11.1.1.1 is my ASA's Outside address.

Above config is unable to block ping to the ASA as well as IKE requests.

Thanks in advance.....

Maykol Rojas · ‎02-05-2020

Hello;

Pretty sure that ICMP ACL is not going to work, since there is an implicit rule (icmp permit/deny), that controls this type of traffic, thou it should block the ISAKMP and IKE if specified. Can you see the tunnel trying to come up with the deny statements on the ACL? How are you testing it?

Regards.

Mike

Marius Gunnerud · ‎02-05-2020

For ICMP I would suggest using ICMP permit/deny command.

Otherwise your configuration looks fine for limiting VPN traffic. From what IP are you testing VPN from and are expecting a deny?

What ASA version is this?

--
Please remember to select a correct answer and rate helpful posts