07-03-2014 04:36 PM
Hi,
I need filter and block UDP/500 on CISCO ASA 5510.
I created the following rules
X.X.X.X deny to connect P.P.P.P UDP/500
Y.Y.Y.Y permit to connect P.P.P.P UDP/500
or
Permit some IPs and deny ALL UDP/500 (optional)
Rules:
access-list ACL_OUTSIDE_IN extended deny udp host X.X.X.X interface outside log
access-list ACL_OUTSIDE_IN extended deny udp host X.X.X.X host P.P.P.P eq isakmp
access-list ACL_OUTSIDE_IN extended permit udp host Y.Y.Y.Y host P.P.P.P eq isakmp
access-list ACL_OUTSIDE_IN extended deny udp any host P.P.P.P eq isakmp (optional)
access-group ACL_OUTSIDE_IN in interface outside
access-group ACL_OUTSIDE_IN in interface outside control-plane
When start packet-tracer is ALLOWED
packet-tracer input outside udp X.X.X.X 500 P.P.P.P 500
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 68636288, using existing flow
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow
This firewall works on Dynamic VPN mode because remote peers using dynamic public IP.
How can i solve this? Any idea?
Tks
Daniel
07-06-2014 08:30 AM
Hi Daniel,
I tested this in my lab but could not replicate the issue. Also , please confirm if you are referring P.P.P.P as your ASA interface's IP . To check if the packets are really getting dropped, you can apply "capture asp type asp-drop all" and run "show cap asp | in <IP_of_originating_host>" and these will show if the dropped packets along with the reason.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-07-2014 08:32 AM
Hi Dinesh,
Yes, my ip P.P.P.P is the ASA Interface.
And when I do capture, I can´t see dropp. I belive that giving is not match the ACL.
I have a friend who said in a video of Brian McGahan INE CCIE Security, he talks about this filter.
You know something?
I'm researching and looking for that video.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide