10-27-2016 11:19 PM - edited 02-21-2020 09:01 PM
I've found out that IPsec packets(ESP) are not filtered by ASA firewall rule even if I put the rule for denying two VPN peer IPs and ESP service.
IPsec packets were even possible to go through the firewall rule, which deny any IP of source and destination and IP service.
What I understood from the test result is that IPsec packet is basically given exemption from a firewall rule.
I'd like to get clarified how ASA processes differently between IPsec packets and normal packets.
In addition, how can I block IPsec packets with ASA firewall?
10-28-2016 05:52 AM
Hi DaeHeon Kang,
Check if you have the command sysopt connection permit-vpn:
For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpncommand in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.
sysopt connection permit-vpn
no sysopt connection permit-vpn
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/s8.html#wp1412217
Hope this info helps!!
Rate if helps you!!
-JP-
10-29-2016 03:04 AM
You have to distinguish two situations:
Are you talking about the second one? By default the ACLs on the ASA do not control traffic has a destination of the ASA itself. The ACL is only for through-traffic on the ASA.
Traffic to the ASA is controlled by specific service commands as you have probably set for ssh/http/icmp ... From this perspective, the ASA behaves as designed.
10-31-2016 12:20 AM
Hi, Karsten
I am talking about the second case.
10-31-2016 01:04 AM
ok, and you tried to control that with the interface ACL? Then it "works as designed".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide