Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2127
Views
0
Helpful
2
Replies

How to To-The-Box Traffic Filtering on Cisco ASA

Go to solution
jewfcb001
Level 4
Level 4

‎10-27-2021 11:44 PM

Hi All ,

 

I try to block and filter source ip for VPN tunnel (SSL/IPSEC) . I see some document recommend command "control-plan' in access-group command . But I try to use this  command but not working .

 

My LAB Topology for Test.

 

Client ---------------------outside[ASA]----------------

192.168.1.1    --------- 192.168.1.254 -------

 

access-list outside extended deny ip host 192.168.1.1 host 192.168.1.254

access-group outside in interface outside control-plane 

 

but still can ping from source ip 192.168.1.1 to 192.168.1.254 

I'm not sure this scenario correct for test ?

 

I test in asav version 9.12 

 

Please advise me .

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jewfcb001
Level 4
Level 4
In response to Rob Ingram

‎10-28-2021 01:06 AM

@Rob Ingram 

 

Thank you for information . I try to setup VPN and filter client for  establish connectivity . it's working fine with the command 

access-group outside in interface outside control-plane  

          Test in Lab

 

  • Configure ACL for Deny host to VPN

 

jewfcb001_0-1635408282212.png

 

            Client Connect without ACL Client can establish to Firewall

         

jewfcb001_1-1635408282222.png

 

After Apply Access group with command “control-plane”  Client cannot establish to Firewall

 

jewfcb001_2-1635408282248.png

ACL Hit Count

 

jewfcb001_3-1635408282250.png

 

I hope this topic for help everyone 

Thank you .

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎10-28-2021 12:16 AM

@jewfcb001 that's probably because ICMP traffic is controlled separately on the ASA using the command "icmp permit|deny <ip_address< <net_mask> <icmp_type> <if_name>" and not controlled via interface control plane ACL. The same applies for SSH or HTTPS to manage the ASA itself.

 

Setup a VPN and attempt to establish connectivity to confirm the control-plane is or is not working correctly.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to Rob Ingram

‎10-28-2021 01:06 AM

@Rob Ingram 

 

Thank you for information . I try to setup VPN and filter client for  establish connectivity . it's working fine with the command 

access-group outside in interface outside control-plane  

          Test in Lab

 

  • Configure ACL for Deny host to VPN

 

jewfcb001_0-1635408282212.png

 

            Client Connect without ACL Client can establish to Firewall

         

jewfcb001_1-1635408282222.png

 

After Apply Access group with command “control-plane”  Client cannot establish to Firewall

 

jewfcb001_2-1635408282248.png

ACL Hit Count

 

jewfcb001_3-1635408282250.png

 

I hope this topic for help everyone 

Thank you .

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card