Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1523
Views
2
Helpful
7
Replies

Whitelist on CPLANE

Go to solution
zgovernale
Community Member

‎12-16-2024 09:36 AM

Cisco ASA Software Version 9.18(3)55

SSP OS Version 2.12(0.519)

I've been working with a managed service partner to try Whitelisting as a way to combat brute-force attacks. I've added a whitelist of known IP addresses to allow access and deny any other access.

We also have a tunnel for communication to a partner network. The issue I'm running into is that we lose that communication once this ACL is enacted. It's not right away but within the following hour. Note: I've added the partner IP range into the whitelist, I also don't have a FTN to enable geolocation blocking. 

Is there a better place to put a whitelist so that it won't impact internal communications?

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to zgovernale

‎12-18-2024 12:49 AM

@zgovernale it depends on which exact version of 9.18 you are running, 9.18(4)40 (or higher) is an interim version, which would include this functionality, the initial version of 9.18(4) would not.

9.18(4) interim version download - https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.4%20Interim

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎12-16-2024 09:41 AM

What is VPN you use RA VPN of S2S

MHM

0 Helpful

Go to solution
zgovernale
Community Member
In response to MHM Cisco World

‎12-16-2024 09:43 AM

The whitelist is meant to cover the people trying to RA VPN. The S2S is our tunneled connection to our partner org.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to zgovernale

‎12-18-2024 06:22 AM

I send you PM check it

MHM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎12-16-2024 09:44 AM - edited ‎12-16-2024 09:45 AM

@zgovernale what did you configure in the control plane ACL? If connections drop after an hour it could be an existing connection that timeouts and thus was unintentionally blocked in the cplane ACL. Check the logs to compare with the cplane ACL

For RAVPN protection and your hardware supports it, upgrade and use threat protection. https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/222315-configure-threat-detection-services-for.html

 

 

Go to solution
zgovernale
Community Member
In response to Rob Ingram

‎12-17-2024 03:22 PM

The control plane ACL has a blacklist of known bad IP addresses, then a whitelist with every IP I could find/trust. This included the list of our partner orgs servers and it would still stop working after an amount of time.

Looking into the RAVPN protection you listed, I was able to upgrade to 9.18(4). I see that it listed 9.18(4)40. I'm unsure of the difference. If it helps we are running an ASAv

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to zgovernale

‎12-18-2024 12:49 AM

@zgovernale it depends on which exact version of 9.18 you are running, 9.18(4)40 (or higher) is an interim version, which would include this functionality, the initial version of 9.18(4) would not.

9.18(4) interim version download - https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.4%20Interim

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card