cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8607
Views
1
Helpful
9
Replies

Disable ASA IPSEC over UDP

benghock
Level 1
Level 1

Hi,

Anyone can advise on how to disable ASA VPN firewall IPSEC over UDP ? i just want the VPN user to connect with IPSEC over TCP port 10000. i have tried to configured, but users still be able to connect with both IPSEC over UDP, as well as IPSEC over TCP.

Thanks in advance.

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

Under group-policy, you can disable ipsec-udp as follows:

group-policy NEO-RWG-NSC attributes

     ipsec-udp disable

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/i3.html#wp1841317

Hope that helps.

Thanks in the info, but i've tried the command, i still be able to get connected with IPSEC over UDP. Any other idea ?

Also the nat-traversal to be disable:

no crypto isakmp nat-traversal 20

Hope that disable all the UDP encapsulation.

I've tried the suggested command, i'm still be able to get connected with IPSEC over UDP, appreciate if there are any further suggestion and ideas.

Thanks.

Can you please advise which UDP port is the user connected to? and does the user fall under the "NEO-RWG-NSC" group policy, or any other groups?

Please share the output of the following when user is connected on UDP ports:

show vpn-sessiondb remote filter name

I think you need to define IPSEC over UDP.  ipsec over udp (port 10000) is usually blocked by default.

If you are referring to be able to use ISAKMP (UDP port 500) and nat-traversal (udp port 4500) - there is no way to 'block' access to those ports once isakmp is enabled short of putting an access-list on the control plane of the ASA.  (access-group in interface control-plane)


However, even IPSEC over TCP  needs ISAKMP for initial negotiation (and possibly keepalives/DPD as well), so you can't block port 500.  I suppose it is technically possible to block ESP in that access-list on the control plane  (so that you would either have to be encapsulated at TCP or UDP if using nat-traversal at that point), but potentially someone using nat-traversal could still connect and use the VPN.  You *could* disable nat-traversal and use the access-list on the control plane to block ESP packets, but I don't think users behind NAT would work at that point even if they're using TCP.

--Jason

I agreed with Jason, I just forgot that the crypto command does not have a filtering option (going to the device)

With the suggestions that Jason added, I could only imagine a design like this:

A router in the front doing a one to one translation for the VPN endpoint (ASA), and then permit just the TCP port 10000 (default of IPSec Over TCP) and also the port UDP 500. ESP packets and port 4500 should be blocked.

Is very funny that IPSEC over TCP is not a full implementation since is uses the keepalives in port udp 500.

Just to confirm I did a LAB and all the initial negotiation uses the TCP port.

Anyway I think that some users are still allowed to connect but all the traffic will be dropped.

The other possible solution is to use clients with the UDP option disabled; maybe you can customize the client or use the Cisco code to add that functionality.

IPsec over TCP is a CISCO implementation, I do not see a reason to disable the functionality of plain IPSEC, if you do not want to use UDP you can use a SSL solution (but even CISCO added a DTLS solution to use UDP). If there is a good reason to do not use the standard IPSEC you should write down all the details and contact a CISCO reseller/sales center to apply for the "enhancements".

JLSALAS

 Is it there a way to block or disable port 500 and still have your VPN working fine?

Jorge Salas
Cisco Employee
Cisco Employee

What about if you disabled the sysopt connection permit-vpn, and open the outside ACL (access-group) permiting the port 10000 and also the VPN traffic?