09-01-2009 06:08 AM
Is there a way to disable isakmp on interfaces that don't need it? Other then writing ACLs? For example my IOS routers are responding to udp 500 on the inside interfaces, and I really only need it on the outside. Not a really big deal, but the auditors want everything not needed disabled. Are there any issues with doing this?
Thank You
09-01-2009 08:21 AM
Well on an IOS and PIX/ASA you enable ISAKMP on a per interface basis anyway - all other interface are disabled by default.
Does your audit define you to either lock down non used ports or disable unused services?
As if it's ports - you could run into a bit of a nightmare - I personally would ask for more clarification on the actual requirements.
HTH>
09-01-2009 08:46 AM
That is not what I'm seeing. It looks like the router is responding on port 500 with isakmp on all interfaces. There are no crypto statements that name interface or on any interface. I also don't see an cyrpto statement that says default.
I'm sure I'm missing something, but what?
The audit request is standard best practice... Disable unused services on all interfaces where possible and appropriate.
This may have to stay on, but just checking. It's nice to be as clean as possible.
09-02-2009 01:43 AM
What response do you get from the device on all ports - that indicates that it wants to start the isakmp negotiation process?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide