Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27237
Views
18
Helpful
5
Replies

How do I block IP addresses from trying to establish VPN tunnel with my ASA?

Go to solution
rweir0001
Level 1
Level 1

‎09-10-2015 06:51 AM - edited ‎03-11-2019 11:34 PM

I frequently receive logs from my ASA that indicate random IP addresses are trying to establish a VPN tunnel with it:

 

ASA-4-713903
ASA-3-713902

 

Possible unexpected behavior of a peer occured (e.g., loss of connectivity). 

Group = DefaultRAGroup, IP = xxx.xxx.6.191, Error: Unable to remove PeerTblEntry

 

Possible configuration error on either the headend or remote access client.

Group = DefaultRAGroup, IP = xxx.xxx.6.191, Removing peer from peer table failed, no match!

 

I have created rules blocking ISAKMP (udp/port 500) and udp/port 4500 for IKE negotiations but I still receive these logs. In addition I have blocked several other protocols because I just don't want these IP addresses reaching my ASA at all such as esp (protocol 50), ALL ICMP traffic, IP, and http/https. I just added AH (protocol 51) as well because I noticed that it was missing. If adding AH DOESN'T resolve the issue then what else do I need to block in order to prevent these IP addresses from trying to establish a VPN tunnel?

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Josh Sprang
Level 1
Level 1

‎09-10-2015 12:06 PM

Have you tried blocking it at the control plane.  I would give that a shot.  Or figure out the remote side IP and try to contact them... 

access-list cp-outside deny udp host xxxx.xxxx.6.191 any eq 4500

access-list cp-outside deny udp host xxxx.xxxx.6.191 any eq 500

access-list cp-outside deny esp host xxxx.xxxx.6.191 any

access-list cp-outside permit ip any any

access-group cp-outside in interface outside control-plane

View solution in original post

Go to solution
Andres Vega
Cisco Employee
Cisco Employee

‎09-10-2015 12:09 PM

I think you need to add the control-plane keyword at the end of your Access-group statement.

An access-group without the keyword control-plane will filter ASA traffic pass-trough , if you want to filter traffic that hits ASA interface, i mean destined to the WAN interface or whatever interface you have to add the keyword.


Here it is, the Cisco ASA configuration guide


http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_rules.html#wp1086731


e.g

Outside interface ip address: y.y.y.y
External ip address allowed to establish connection against the ASA: x.x.x.x

access-list Outside_ACL permit udp host x.x.x.x eq 500 host y.y.y.y eq 500
access-group Outside_ACL in interface outside control-plane

 

I think this could be a guide how should it be configured. by the way be careful about the acl implicit deny, if you are connecting to the ASA using the outside interface, you need to permit your public ip address.

Regards,

Andres

 

 

View solution in original post

5 Replies 5

Go to solution
Josh Sprang
Level 1
Level 1

‎09-10-2015 12:06 PM

Have you tried blocking it at the control plane.  I would give that a shot.  Or figure out the remote side IP and try to contact them... 

access-list cp-outside deny udp host xxxx.xxxx.6.191 any eq 4500

access-list cp-outside deny udp host xxxx.xxxx.6.191 any eq 500

access-list cp-outside deny esp host xxxx.xxxx.6.191 any

access-list cp-outside permit ip any any

access-group cp-outside in interface outside control-plane

Go to solution
rweir0001
Level 1
Level 1
In response to Josh Sprang

‎09-14-2015 06:38 AM

Thank you. Blocking the offending traffic on the control-plane has worked.

0 Helpful

Go to solution
Andres Vega
Cisco Employee
Cisco Employee

‎09-10-2015 12:09 PM

I think you need to add the control-plane keyword at the end of your Access-group statement.

An access-group without the keyword control-plane will filter ASA traffic pass-trough , if you want to filter traffic that hits ASA interface, i mean destined to the WAN interface or whatever interface you have to add the keyword.


Here it is, the Cisco ASA configuration guide


http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_rules.html#wp1086731


e.g

Outside interface ip address: y.y.y.y
External ip address allowed to establish connection against the ASA: x.x.x.x

access-list Outside_ACL permit udp host x.x.x.x eq 500 host y.y.y.y eq 500
access-group Outside_ACL in interface outside control-plane

 

I think this could be a guide how should it be configured. by the way be careful about the acl implicit deny, if you are connecting to the ASA using the outside interface, you need to permit your public ip address.

Regards,

Andres

 

 

Go to solution
rweir0001
Level 1
Level 1
In response to Andres Vega

‎09-14-2015 06:37 AM

Thanks for the clarification. I have blocked the tunnel traffic from the offending IP addresses on the control-plane and it looks like it has worked.

0 Helpful

Go to solution
mistertom
Level 1
Level 1

‎05-17-2024 12:15 PM

See the following Cisco Support document that shows how to do this with examples. Important that you likely need to follow the directions to use `clear connection address ...` to force the ASA to re-evaluate IKE/isakmp connection attempts from the address denied in your control-plane access-list.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card