Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
4
Replies

IPsec packets(ESP) are not filtered by ASA firewall rule??

DaeHeon Kang
Level 1
Level 1

‎10-27-2016 11:19 PM - edited ‎02-21-2020 09:01 PM

I've found out that IPsec packets(ESP) are not filtered by ASA firewall rule even if I put the rule for denying two VPN peer IPs and ESP service.

IPsec packets were even possible to go through the firewall rule, which deny any IP of source and destination and IP service.

What I understood from the test result is that IPsec packet is basically given exemption from a firewall rule.

I'd like to get clarified how ASA processes differently between IPsec packets and normal packets.

In addition, how can I block IPsec packets with ASA firewall?

Labels:
0 Helpful
4 Replies 4

JP Miranda Z
Cisco Employee
Cisco Employee

‎10-28-2016 05:52 AM

Hi 

sysopt connection permit-vpn:

sysopt connection permit-vpn

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpncommand in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

sysopt connection permit-vpn

no sysopt connection permit-vpn

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/s8.html#wp1412217

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

Karsten Iwen
VIP
VIP

‎10-29-2016 03:04 AM

You have to distinguish two situations:

  1. Filtering IPses traffic that flows through the ASA and terminates on a gateway that sits for example in your DMZ
  2. IPsec traffic that is terminated on your ASA.

Are you talking about the second one? By default the ACLs on the ASA do not control traffic has a destination of the ASA itself. The ACL is only for through-traffic on the ASA.

Traffic to the ASA is controlled by specific service commands as you have probably set for ssh/http/icmp ... From this perspective, the ASA behaves as designed.

0 Helpful

DaeHeon Kang
Level 1
Level 1
In response to Karsten Iwen

‎10-31-2016 12:20 AM

Hi, Karsten

I am talking about the second case.

0 Helpful

Karsten Iwen
VIP
VIP
In response to DaeHeon Kang

‎10-31-2016 01:04 AM

ok, and you tried to control that with the interface ACL? Then it "works as designed".

0 Helpful
Customers Also Viewed These Support Documents