cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
369
Views
0
Helpful
4
Replies
DaeHeon Kang
Beginner

IPsec packets(ESP) are not filtered by ASA firewall rule??

I've found out that IPsec packets(ESP) are not filtered by ASA firewall rule even if I put the rule for denying two VPN peer IPs and ESP service.

IPsec packets were even possible to go through the firewall rule, which deny any IP of source and destination and IP service.

What I understood from the test result is that IPsec packet is basically given exemption from a firewall rule.

I'd like to get clarified how ASA processes differently between IPsec packets and normal packets.

In addition, how can I block IPsec packets with ASA firewall?

4 REPLIES 4
JP Miranda Z
Cisco Employee

Hi 

sysopt connection permit-vpn:

sysopt connection permit-vpn

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpncommand in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

sysopt connection permit-vpn

no sysopt connection permit-vpn

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/s8.html#wp1412217

Hope this info helps!!

Rate if helps you!! 

-JP-

Karsten Iwen
VIP Mentor

You have to distinguish two situations:

  1. Filtering IPses traffic that flows through the ASA and terminates on a gateway that sits for example in your DMZ
  2. IPsec traffic that is terminated on your ASA.

Are you talking about the second one? By default the ACLs on the ASA do not control traffic has a destination of the ASA itself. The ACL is only for through-traffic on the ASA.

Traffic to the ASA is controlled by specific service commands as you have probably set for ssh/http/icmp ... From this perspective, the ASA behaves as designed.

Hi, Karsten

I am talking about the second case.

ok, and you tried to control that with the interface ACL? Then it "works as designed".

Content for Community-Ad