Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2417
Views
0
Helpful
6
Replies

How to selectivly block inbound ISAKMP /IPSEC to an ASA interface?

shave
Level 1
Level 1

‎12-03-2007 04:31 PM - edited ‎03-11-2019 04:38 AM

Have an ASA running v8, trying to figure out how to block inbound Cisco VPN client traffic to the external interface and only allow 1 block of public IP's to initate the connection. I have created access lists blocking all inbound traffic on the external interface, as well as the standard vpn ports with no luck, appears access lists have no impact on the external interface answering any isakmp/ipsec traffic. Is there a way to limit this?

Labels:
0 Helpful
6 Replies 6

srue
Level 7
Level 7

‎12-03-2007 05:22 PM

there is no way.

do you have any network devices *in front* of the ASA that could do this?

0 Helpful

shave
Level 1
Level 1
In response to srue

‎12-03-2007 05:32 PM

Thats what I thought... they don't own the edge device, plan b is they start matching client certs to meet their requirements...

0 Helpful

anthony.king
Level 1
Level 1
In response to shave

‎12-04-2007 07:59 AM

Actually there might be a way. Try issuing the command 'no sysopt connection permit-vpn'. That is supposed to force the incoming VPN connections to go through the ACLs. I haven't tried it before so I'm not sure if it works as advertised.

Make sure you have your ACL right first though.

0 Helpful

shave
Level 1
Level 1
In response to anthony.king

‎12-04-2007 09:19 AM

Good thought, but box is accepting VPN connections with and without the sysopt connection permit-vpn command, may have to get a TAC case rolling on this, In past experience that has always worked to block inbound vpn connections.

0 Helpful

srue
Level 7
Level 7
In response to shave

‎12-04-2007 10:36 AM

sysopt connection permit-vpn only matters once a vpn has been established. its purpose is to bypass interface acl checking for encrypted traffic.

trust me, there is no way to do what the OP wants, with just the ASA.

isakmp also by default bypasses external acl checking. it's all or nothing.

0 Helpful

srue
Level 7
Level 7
In response to srue

‎12-04-2007 11:10 AM

follow-up to my message above:

isakmp destined for the PIX/ASA, bypasses external acl checking...

isakmp *through* the appliance, must go through normal ACL checks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card