Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1587
Views
20
Helpful
17
Replies

Cisco ASA 5545-X VPN Peers ACL

Go to solution
Slavec
Level 1
Level 1

‎02-03-2021 02:17 PM

Hi there,

 

I manage a ASA 5545-X (9.2something)

 

There are a few VPN tunnels configured, they work fine. But when I try to put lines in the WAN_in ACL, to only allow certain peers to setup a tunnel, it does'n seem to work; anyone can try to establish an VPN tunnel. 

 

What am I overlooking?

 

Labels:
Preview file
79 KB
17 Replies 17

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Slavec

‎02-04-2021 07:36 AM

Basically you are right that incoming VPN does not listen to ACL, especially permit statements. I do note that one of the addresses in your blacklist group is getting denied by your ACL, so perhaps that part of the ACL might be working.

 

It is a fundamental part of processing on ASA (quite different from router processing) that when you enable VPN/ISAKMP on the interface that VPN traffic is allowed and does not need to be permitted in the interface ACL. How much of an issue that might be depends on how you have configured the site to site VPN. If you have 7 site to site VPN are there 7 set peer statements that specify the peer IP address? Or is there an entry that specifies 0.0.0.0 (common when one or more of the remote peers has a dynamic address)? If you specify the 7 peer addresses then you have no real exposure. Even if someone did learn the remote key they would not be able to establish a VPN session if it did not originate from one of those addresses. If one of the peer statements is 0.0.0.0 then there might be some exposure for you.

 

I would also comment on your ACL that you start with a statement that denies the blacklist group to any and specifies ip protocol. It then goes on to deny that group for icmp, for esp, and for isakmp. But if you have denied them for IP traffic the other 3 entries are superfluous.

HTH

Rick

Go to solution
Slavec
Level 1
Level 1
In response to Richard Burts

‎02-04-2021 07:42 AM

All 7 VPN site-2-site have specific peer addresses in them, no 0.0.0.0. 

I always put superfluous lines in just to check; I would me worried if the IP would deny, but I would still get hits on the ICMP. 

 

But on the issue of the peers; as long there is no risk of someone getting a vpn up, then I dont mind.

 

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Slavec

‎02-04-2021 08:11 AM

As long as you recognize that they are superfluous and are doing it as a double check that is fine. As long as you are configuring specific peer addresses for vpn then even if someone did learn the local and remote key they would not be able to set up a vpn from a different source address.

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card