06-06-2022 10:14 AM
I have Cisco ASA5506 running on 9.9. We have multiple L2L VPN tunnels going on. The PCI scan is failing because UDP port 500 is open for anyone.
Few of the posts are talking about using the control-plane ACL. I have never used it, is the following config going to do the job
I would like to block the UDP/500 from all IP's except the trusted VPN peers.
!
object-group network objTrustedVPNPeers
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3
!
access-list acl_ControlPlane extended permit udp object-group objTrustedVPNPeers any eq 500
access-list acl_ControlPlane extended deny udp any any eq 500
!
access-group acl_ControlPlane in interface outside control-plane
!
Solved! Go to Solution.
06-15-2022 09:01 AM - edited 06-15-2022 09:01 AM
If anyone else is looking for same solution, following has worked for me.
!
object-group network objTrustedVPNPeers
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3
!
access-list acl_ControlPlane extended permit udp object-group objTrustedVPNPeers any eq 500
access-list acl_ControlPlane extended deny udp any any eq 500
!
access-group acl_ControlPlane in interface outside control-plane
!
06-06-2022 10:19 AM
@S Kumar yes you'd need to use a control plane ACL to restrict this VPN traffic, however the VPN uses more than just udp/500. You'd need to permit ESP and if NAT in the path udp/4500.
06-06-2022 12:14 PM
Hi Rob,
Appreciate your response.
I already have the understanding that I have to use control plane ACL. Unlike regular access rules, there is no implicit deny at for control-plane ACL.So I dont need permit entry for ESP because I am not denying it to begin with. The purpose of blocking 500 is to block the non-trusted IP's who may use try brute force to break the pre-shared key. If I am successfully blocking ISAKMP then I dont need to worry about ESP or AH.
06-06-2022 12:22 PM - edited 06-06-2022 12:26 PM
that not what @Rob Ingram meaning
when the IPSec is establish is use UDP/500
this use for control and IPSec establish
BUT
the real data traffic will can use UDP 4500?why this
because the IPSec use this UDP to override any NAT in Path
and as @Rob Ingram suggest you need to allow this port.
this like for IPSec bypass the ASA but as @Rob Ingram with control-plane we can use same ACL but with keyword control-plane in end.
https://www.petenetlive.com/KB/Article/0001428
06-06-2022 11:13 AM - edited 06-06-2022 11:58 AM
My answer is correct by @Rob Ingram
thanks.
06-06-2022 11:16 AM
@MHM Cisco World that's incorrect, a "control-plane" ACL restricts traffic "to" the ASA itself, whereas a normal ACL is for traffic "through" the ASA.
06-15-2022 09:01 AM - edited 06-15-2022 09:01 AM
If anyone else is looking for same solution, following has worked for me.
!
object-group network objTrustedVPNPeers
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3
!
access-list acl_ControlPlane extended permit udp object-group objTrustedVPNPeers any eq 500
access-list acl_ControlPlane extended deny udp any any eq 500
!
access-group acl_ControlPlane in interface outside control-plane
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide