Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
0
Helpful
1
Replies

ASA 5505 limit VPN connections to specific peer IP addresses.

itnsengineer
Level 1
Level 1

‎06-27-2016 06:58 AM

Have an ASA 5505 with several site to site VPN tunnels established and working.  Is there a way to block all connections on port 500 except for the two peers that are already connected.  Right now when a security company does and outside port scan security assessment it shows that port 500 is open on the firewall and causes a failure in the report.

In other words, I want to close the port from outside access with the exception of the specific public IP's of the peer sites.

Any suggestions would be helpful.

Labels:
0 Helpful
1 Reply 1

Peter Long
Level 1
Level 1

‎06-27-2016 07:40 AM

Im pretty sure you would need to filter upstream i.e. with an ACL on the router, and on the ASA you enable ISAKMP on the outside interface, so this behaviour is normal.

But having UDP 500 open is not really a vulnerability? if an attacker can't get a matching phase one policy then they can't get in (assuming you have the recent IKE vulnerability patched, see the following link)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Pete

0 Helpful
Customers Also Viewed These Support Documents