I've found out that IPsec packets(ESP) are not filtered by ASA firewall rule even if I put the rule for denying two VPN peer IPs and ESP service.
IPsec packets were even possible to go through the firewall rule, which deny any IP of source and destination and IP service.
What I understood from the test result is that IPsec packet is basically given exemption from a firewall rule.
I'd like to get clarified how ASA processes differently between IPsec packets and normal packets.
In addition, how can I block IPsec packets with ASA firewall?
Hi DaeHeon Kang,
Check if you have the command sysopt connection permit-vpn:
For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpncommand in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.
sysopt connection permit-vpn
no sysopt connection permit-vpn
Hope this info helps!!
Rate if helps you!!
You have to distinguish two situations:
Are you talking about the second one? By default the ACLs on the ASA do not control traffic has a destination of the ASA itself. The ACL is only for through-traffic on the ASA.
Traffic to the ASA is controlled by specific service commands as you have probably set for ssh/http/icmp ... From this perspective, the ASA behaves as designed.
ok, and you tried to control that with the interface ACL? Then it "works as designed".