08-07-2024 06:14 PM
Good day!
When I checked our public IP on the Censys.io site, it listed the open port on our router. Is it possible to hide port IKE 500 from the internet or exclude it from being scanned? I tried the following configuration on the device running ASA Version 9.14(1) but it is still visible.
Did I miss something? Thank you in advance for any help.
access-list ALLOW_IKE extended permit udp object Azure-IP object Corp-IP eq 500
access-list ALLOW_IKE extended permit udp object Corp-IP object Azure-IP eq 500
access-list ALLOW_IKE extended permit esp object Azure-IP object Corp-IP
access-list ALLOW_IKE extended permit esp object Corp-IP object Azure-IP
access-list ALLOW_IKE extended permit udp object Azure-IP object Corp-IP eq 4500
access-list ALLOW_IKE extended permit udp object Corp-IP object Azure-IP eq 4500
access-list BLOCK_IKE extended deny udp any any eq 500
class-map ALLOW_IKE_CLASS
match access-list ALLOW_IKE
exit
class-map BLOCK_IKE_CLASS
match access-list BLOCK_IKE
exit
policy-map CONTROL_IKE_POLICY
class ALLOW_IKE_CLASS
inspect ipsec-pass-thru
exit
class BLOCK_IKE_CLASS
inspect ipsec-pass-thru
exit
exit
service-policy CONTROL_IKE_POLICY interface outside
no sysopt connection permit-vpn
Solved! Go to Solution.
08-07-2024 06:20 PM
Use acl control-plane
Deny udp port 500
And apply it to Outside interface
MHM
08-07-2024 06:20 PM
Use acl control-plane
Deny udp port 500
And apply it to Outside interface
MHM
08-07-2024 06:26 PM
Thanks for the suggestion @MHM Cisco World .
Im not familiar with ASA but i will check how to use and configure ACL control-plane. I'll let you know of the result.
08-07-2024 06:35 PM
08-07-2024 06:56 PM - edited 08-07-2024 07:02 PM
May I know if the config below aligns with what you were suggesting?
access-list ALLOW_IKE extended permit udp object Azure-IP object Corp-IP eq 500
access-list ALLOW_IKE extended permit udp object Corp-IP object Azure-IP eq 500
access-list ALLOW_IKE extended permit esp object Azure-IP object Corp-IP
access-list ALLOW_IKE extended permit esp object Corp-IP object Azure-IP
access-list ALLOW_IKE extended permit udp object Azure-IP object Corp-IP eq 4500
access-list ALLOW_IKE extended permit udp object Corp-IP object Azure-IP eq 4500
access-list ALLOW_IKE extended deny udp any any eq 500
access-group ALLOW_IKE in interface outside control-plane
08-07-2024 07:06 PM
you edit it by add control-plane and that totally correct
NOW your FTD will not permit any UDP traffic except one you add above deny udp any any eq 500 line
goodluck friend
MHM
08-07-2024 07:18 PM
I will apply this on the device today and I'll let you know tomorrow. Thank you.
08-11-2024 05:06 PM
it works. thank you so much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide