Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
3
Helpful
6
Replies

Close network ports on Cisco ISR

Go to solution
rarellano
Level 1
Level 1

‎11-07-2023 08:24 AM

Hi, 

I have a Cisco ISR 4451 with several internet facing VRF interfaces with crypto maps mounted and need to close all network ports other than IPsec without affecting the tunnels. An ACL directly in the interface will do the job?

Thank you in advance.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to rarellano

‎11-07-2023 11:11 AM

No not effect it.

The traffic is encapsulate inside tunnel ipsec head.

The acl effect outer head only' and inside traffic will not effect.

Thanks A Lot
MHM

View solution in original post

6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎11-07-2023 08:25 AM

Yes, Sure 
Block ports except the IPsec in ACL applied to interface

Thanks A Lot
MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎11-07-2023 08:31 AM

ISAKMP - UDP 500

ESP - Protocol 50 <<- some times Cisco allow you to direct set ESP instead of it ports

ISAKMP NAT-Traversal - UDP 4500 (NAT-T)

IPSEC Over UDP - UDP 10000 (Default)

IPSEC Over TCP - TCP 10000 (Default)

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎11-07-2023 08:27 AM

@rarellano An ACL inbound on the outside interface would suffice, you would need to permit udp/500 and ESP, if traffic is NAT translated in the path between the peers then also permit udp/4500.

0 Helpful

Go to solution
rarellano
Level 1
Level 1

‎11-07-2023 11:08 AM

Thank you, 

Just to confirm, if I apply+ an ACL directly on the interface, it won't affect the allowed traffic through the tunnels, i.e.

crypto map MAP 5 ipsec-isakmp
description
set peer xxx.xxx.xxx.xxx
set transform-set AES256-SHA
set pfs group5
set isakmp-profile adient-peer
match address 110

interface GigabitEthernet0/0/3.109
encapsulation dot1Q 109
ip vrf forwarding VRF NAME
ip address 201.174.XX.XX 255.255.255.248
ip flow monitor NFAmonitor input
crypto map MAP
access-group 199 in

access-list 199 permit udp host 201.174.XX.XX any eq 500
access-list 199 deny ip 201.174.XX.XX any

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to rarellano

‎11-07-2023 11:11 AM

No not effect it.

The traffic is encapsulate inside tunnel ipsec head.

The acl effect outer head only' and inside traffic will not effect.

Thanks A Lot
MHM

Go to solution
Rob Ingram
VIP
VIP
In response to rarellano

‎11-07-2023 11:12 AM - edited ‎11-07-2023 11:14 AM

@rarellano you need more than just udp/500 in your ACL 199, you will also need ESP and udp/4500 if nat. The allowed traffic will be encapsulated in the encrypted tunnel, either using ESP or udp/4500.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card