Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1236
Views
0
Helpful
2
Replies

Restrict and Filter UDP/500 Cisco ASA

Daniel Barbosa
Level 1
Level 1

‎07-03-2014 04:36 PM

Hi,

I need filter and block UDP/500 on CISCO ASA 5510. 

I created the following rules

X.X.X.X deny to connect P.P.P.P UDP/500

Y.Y.Y.Y permit to connect P.P.P.P UDP/500

or

Permit some IPs and deny ALL UDP/500 (optional)

Rules:

access-list ACL_OUTSIDE_IN extended deny udp host X.X.X.X interface outside log 
access-list ACL_OUTSIDE_IN extended deny udp host X.X.X.X host P.P.P.P eq isakmp
access-list ACL_OUTSIDE_IN extended permit udp host Y.Y.Y.Y host P.P.P.P eq isakmp

access-list ACL_OUTSIDE_IN extended deny udp any host P.P.P.P eq isakmp (optional)

access-group ACL_OUTSIDE_IN  in interface outside
access-group ACL_OUTSIDE_IN  in interface outside control-plane

When start packet-tracer is ALLOWED

packet-tracer input outside udp X.X.X.X 500 P.P.P.P 500

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 68636288, using existing flow

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow

This firewall works on Dynamic VPN mode because remote peers using dynamic public IP.

How can i solve this? Any idea?

Tks

Daniel

Labels:
0 Helpful
2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-06-2014 08:30 AM

Hi Daniel,
 

I tested this in my lab but could not replicate the issue. Also , please confirm if you are referring P.P.P.P as your ASA interface's IP . To check if the packets are really getting dropped, you can apply "capture asp type asp-drop all" and run "show cap asp | in <IP_of_originating_host>" and these will show if the dropped packets along with the reason.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Daniel Barbosa
Level 1
Level 1
In response to Dinesh Moudgil

‎07-07-2014 08:32 AM

Hi Dinesh,

Yes, my ip P.P.P.P is the ASA Interface.

And when I do capture, I can´t see dropp. I belive that giving is not match the ACL.

I have a friend who said in a video of Brian McGahan INE CCIE Security, he talks about this filter. 

You know something? 

I'm researching and looking for that video.

 

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents