Re: Lock Down via IP range in CISCO ASA Dynamic IPSEC

aprasad11 · ‎06-04-2025

Hi All,

I have done IPSEC setup as below(Link) where one end ASA has public IP and the remote end is dynamic and ASA is behind a NAT.

Configure ASA-to-ASA Dynamic-to-Static IKEv1/IPsec - Cisco

Currently, the Hub CISCO ASA accepts IPSEC tunnel from all IP range but i want to lock it down to specifc public IP range and block all others.

Can someone please tell me command to enter in CISCO ASA Hub Firewall where i can allow specific IP range instead of allowing from the entire internet.

Rob Ingram · ‎06-04-2025

@aprasad11 configure a control plane ACL on the ASA to restrict udp/500, udp/4500 (if NAT) and ESP traffic.

Example configuration for an ASA - https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html#toc-hId-345647317

aprasad11 · ‎06-04-2025

Thank you for the reply. I have CISCO ASA 5525

Rob Ingram · ‎06-04-2025

@aprasad11 the control plane ACL will work on the ASA software, as per the example provided above.

Aref Alsouqi · ‎06-04-2025

You would need something similar to this as mentioned in the other thread:

access-list CONTROL-PLANE extended permit esp host 1.1.1.1 any
access-list CONTROL-PLANE extended permit udp host 1.1.1.1 any eq 500
access-list CONTROL-PLANE extended permit udp host 1.1.1.1 any eq 4500
access-list CONTROL-PLANE extended deny esp any any
access-list CONTROL-PLANE extended deny udp any any eq 500
access-list CONTROL-PLANE extended deny udp any any eq 4500
access-list CONTROL-PLANE extended permit ip any any

access-group CONTROL-PLANE in interface outside control-plane

The IP address 1.1.1.1 will be replaced with the remote peer that will be allowed to establish the VPN tunnel with your ASA. The keyword "any" that is highlighted could be replaced with your ASA outside interface public IP.

Solved: CISCO ASA IPSEC - Cisco Community