Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
4
Replies

filter internet ip addres allow to initiate vpn connection

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni

‎04-11-2011 07:01 PM - edited ‎03-11-2019 01:19 PM

Hi,

Using Cisco ASA5510 Security Plus (Post May 2010) with 8.2(1)

I was trying to limit the number of internet IP Address that can initiate Remote Access VPN connection to the firewall. I have plan to only allow internet IP Address from few ISPs for control.

However, blocking AHP, ESP, ISAKMP, NON500-ISAKMP, and IPSec Over TCP Port Assigned in the firewall outside interface doesn't help. But it works by putting the ACL in the router before the firewall. It seems that the  firewall have a "hidden" process VPN first before user entered ACL (or explicit rule), similar to Checkpoint FW's implied rule. How to get around it?

TIA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-11-2011 07:10 PM

Yes you are right. The firewall does not check what IP Address is initiating the VPN to it as with remote vpn client, they can connect from various different IP Addresses.

If you want to allow only certain IP Addresses to VPN to the firewall, as you have tested, you would need to do block it on the router in front of the firewall.

Hope that answers your question.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-11-2011 07:10 PM

Yes you are right. The firewall does not check what IP Address is initiating the VPN to it as with remote vpn client, they can connect from various different IP Addresses.

If you want to allow only certain IP Addresses to VPN to the firewall, as you have tested, you would need to do block it on the router in front of the firewall.

Hope that answers your question.

0 Helpful

Go to solution
kampmalm2
Level 1
Level 1
In response to Jennifer Halim

‎04-11-2011 11:55 PM

Hi

What happened with the old PIX command "sysopt connection permit-ipsec" ?

If you remove that in the PIX, then it's poosible to control VPN-connections with a access-list.

Isn't there any equivalent command in the ASA?

Regards

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kampmalm2

‎04-12-2011 12:10 AM

The "sysopt connection permit-ipsec" will not allow the encrypted traffic, it will only allow the traffic after it is being decrypted (ie: the clear text traffic after decryption). What Danilo wants to do is the actual VPN session (encrypted traffic) to be restricted from specific IP Addresses only.

0 Helpful

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni
In response to Jennifer Halim

‎04-12-2011 07:59 PM

Thanks Jennifer.

Your reply confirms my initial investigation. I thought I was missing something, took me a lot of time to try to find a way to get around it

I'm trying to push the security envelop further for Remote Access due to the reason that there is no universal cyber law or it doesn't cross border (states/country).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card