09-13-2019 01:18 PM - edited 09-13-2019 02:38 PM
Need to block vpn connection attempts from a couple IPs. I tried the below access list but it didn't work. How can I drop the traffic before it tries to negotiate phase 1?
access-list cp-outside remark vpn block 1 access-list cp-outside deny udp host 10.10.10.10 any eq 4500 access-list cp-outside deny udp host 10.10.10.10 any eq 500 access-list cp-outside deny esp host 10.10.10.10 any access-list cp-outside remark vpn block 2 access-list cp-outside deny udp host 11.11.11.11 any eq 4500 access-list cp-outside deny udp host 11.11.11.11 any eq 500 access-list cp-outside deny esp host 11.11.11.11 any access-list cp-outside permit ip any any access-group cp-outside in interface outside control-plane
Warning | FW1 : Group = DefaultL2LGroup, IP = 10.10.10.10, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting |
edit: changed title to reflect most recent results
09-14-2019 02:33 AM - edited 09-14-2019 03:46 AM
actually I lab this up. where i configured a wrong pre-shared-key on my router vpn site.
(router vpn 195.200.1.2 and ASA vpn 200.1.5.2)
here is my lab access-list
access-list CP line 1 extended deny udp host 195.200.1.2 host 200.1.5.2 eq 4500 (hitcnt=0) 0x16d86c78
access-list CP line 2 extended deny udp host 195.200.1.2 host 200.1.5.2 eq isakmp (hitcnt=6) 0xe85a104b
access-list CP line 3 extended deny esp host 195.200.1.2 host 200.1.5.2 (hitcnt=0) 0x08163e8f
access-group CP in interface outside control-plan
!
%ASA-4-106023: Deny udp src outside:195.200.1.2/500 dst identity:200.1.5.2/500 by access-group "CP" [0xe85a104b, 0x0]
%ASA-7-710005: UDP request discarded from 195.200.1.2/500 to outside:200.1.5.2/500
%ASA-4-106023: Deny udp src outside:195.200.1.2/500 dst identity:200.1.5.2/500 by access-group "CP" [0xe85a104b, 0x0]
%ASA-7-710005: UDP request discarded from 195.200.1.2/500 to outside:200.1.5.2/500
!
======================================================================
you need to change the syntax on the firewall. let say your legitimate vpn is 12.12.12.12
access-list cp-out permit udp host 12.12.12.12 any eq 4500
access-list cp-out permit udp host 12.12.12.12 any eq 500
access-group cp-out in interface control-plan
control-plan syntax is to the traffic dest to the firewall.
=============================================================
I also noted you get this message.
Warning | FW1 : Group = DefaultL2LGroup, IP = 10.10.10.10, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting |
this mean you hitting the default-group policy. by default the group policy is as below in ASA
!
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
ASA(config)#
ASA(config)# show run all | i DfltGrpPolicy
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
default-group-policy DfltGrpPolicy
default-group-policy DfltGrpPolicy
default-group-policy DfltGrpPolicy
as there is no pre-share-key is configured that why you getting a mis-math pre-shared-key error.
09-14-2019 01:18 PM
Got it. Looks like I just need to tweak my ACL. And yes, I was showing the log message because I was trying to stop that IP from attempting to make a VPN connection. I no longer have the VPN configured on my ASA because it was for an old customer. I was just trying to keep my syslog from getting full with all the connection attempt messages.
09-26-2019 02:26 PM
I tried the ACL like this:
access-list cp-outside extended deny udp host 1.1.1.1 host 2.2.2.2 eq 4500 access-list cp-outside extended deny udp host 1.1.1.1 host 2.2.2.2 eq isakmp access-list cp-outside extended deny esp host 1.1.1.1 host 2.2.2.2
Where 1.1.1.1 was the IP of the remote peer and 2.2.2.2 is my outside interface. It didn't work.
09-14-2019 01:29 PM
Hmmmm. Nope. Didn't work for me. To elaborate:
Remote IP to block: 1.1.1.1
My ASA 2.2.2.2
access-list cp-outside line 1 remark vpn block 1 access-list cp-outside line 2 extended deny udp host 1.1.1.1 host 2.2.2.2 eq 4500 (hitcnt=0) 0x7c87041e access-list cp-outside line 3 extended deny udp host 1.1.1.1 host 2.2.2.2 eq isakmp (hitcnt=0) 0xed2beb7c access-list cp-outside line 4 extended deny esp host 1.1.1.1 host 2.2.2.2 (hitcnt=0) 0x5df8421c
access-group cp-outside in interface outside control-plane
i am still seeing logging that the connection is being attempted. It fails because there is no VPN configuration for that remote IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide