Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
4
Helpful
7
Replies

Cisco Firepower 1120 - how can I hide IKE 500/UDP from internet?

Go to solution
gulle_ryan
Level 1
Level 1

‎08-07-2024 06:14 PM

Good day!

When I checked our public IP on the Censys.io site, it listed the open port on our router. Is it possible to hide port IKE 500 from the internet or exclude it from being scanned?  I tried the following configuration on the device running ASA Version 9.14(1) but it is still visible.

Did I miss something? Thank you in advance for any help.

access-list ALLOW_IKE extended permit udp object Azure-IP object Corp-IP eq 500
access-list ALLOW_IKE extended permit udp object Corp-IP object Azure-IP eq 500
access-list ALLOW_IKE extended permit esp object Azure-IP object Corp-IP
access-list ALLOW_IKE extended permit esp object Corp-IP object Azure-IP
access-list ALLOW_IKE extended permit udp object Azure-IP object Corp-IP eq 4500
access-list ALLOW_IKE extended permit udp object Corp-IP object Azure-IP eq 4500
access-list BLOCK_IKE extended deny udp any any eq 500

class-map ALLOW_IKE_CLASS
match access-list ALLOW_IKE
exit

class-map BLOCK_IKE_CLASS
match access-list BLOCK_IKE
exit

policy-map CONTROL_IKE_POLICY
class ALLOW_IKE_CLASS
inspect ipsec-pass-thru
exit
class BLOCK_IKE_CLASS
inspect ipsec-pass-thru
exit
exit

service-policy CONTROL_IKE_POLICY interface outside

no sysopt connection permit-vpn

 

Labels:
Preview file
26 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎08-07-2024 06:20 PM

Use acl control-plane

Deny udp port 500 

And apply it to Outside interface 

MHM

View solution in original post

7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎08-07-2024 06:20 PM

Use acl control-plane

Deny udp port 500 

And apply it to Outside interface 

MHM

Go to solution
gulle_ryan
Level 1
Level 1
In response to MHM Cisco World

‎08-07-2024 06:26 PM

Thanks for the suggestion @MHM Cisco World .

Im not familiar with ASA but i will check how to use and configure ACL control-plane. I'll let you know of the result.

0 Helpful

Go to solution
gulle_ryan
Level 1
Level 1
In response to MHM Cisco World

‎08-07-2024 06:56 PM - edited ‎08-07-2024 07:02 PM

@MHM Cisco World 

May I know if the config below aligns with what you were suggesting?

access-list ALLOW_IKE extended permit udp object Azure-IP object Corp-IP eq 500
access-list ALLOW_IKE extended permit udp object Corp-IP object Azure-IP eq 500
access-list ALLOW_IKE extended permit esp object Azure-IP object Corp-IP
access-list ALLOW_IKE extended permit esp object Corp-IP object Azure-IP
access-list ALLOW_IKE extended permit udp object Azure-IP object Corp-IP eq 4500
access-list ALLOW_IKE extended permit udp object Corp-IP object Azure-IP eq 4500
access-list ALLOW_IKE extended deny udp any any eq 500

access-group ALLOW_IKE in interface outside control-plane

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to gulle_ryan

‎08-07-2024 07:06 PM

you edit it by add control-plane and that totally correct 
NOW your FTD will not permit any UDP traffic except one you add above deny udp any any eq 500 line 

goodluck friend 

MHM

Go to solution
gulle_ryan
Level 1
Level 1
In response to MHM Cisco World

‎08-07-2024 07:18 PM

 @MHM Cisco World .

I will apply this on the device today and I'll let you know tomorrow. Thank you.

Go to solution
gulle_ryan
Level 1
Level 1
In response to MHM Cisco World

‎08-11-2024 05:06 PM

@MHM Cisco World 

it works. thank you so much.

0 Helpful
Customers Also Viewed These Support Documents