Solved: Only Allow Trusted IP's to access IPSEC UDP Port 500 on Cisco ASA

S Kumar · ‎06-06-2022

I have Cisco ASA5506 running on 9.9. We have multiple L2L VPN tunnels going on. The PCI scan is failing because UDP port 500 is open for anyone.

Few of the posts are talking about using the control-plane ACL. I have never used it, is the following config going to do the job
I would like to block the UDP/500 from all IP's except the trusted VPN peers.

!
object-group network objTrustedVPNPeers
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3
!
access-list acl_ControlPlane extended permit udp object-group objTrustedVPNPeers any eq 500
access-list acl_ControlPlane extended deny udp any any eq 500
!
access-group acl_ControlPlane in interface outside control-plane
!

S Kumar · ‎06-15-2022

If anyone else is looking for same solution, following has worked for me.

!
object-group network objTrustedVPNPeers
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3
!
access-list acl_ControlPlane extended permit udp object-group objTrustedVPNPeers any eq 500
access-list acl_ControlPlane extended deny udp any any eq 500
!
access-group acl_ControlPlane in interface outside control-plane
!

View solution in original post

Rob Ingram · ‎06-06-2022

@S Kumar yes you'd need to use a control plane ACL to restrict this VPN traffic, however the VPN uses more than just udp/500. You'd need to permit ESP and if NAT in the path udp/4500.

S Kumar · ‎06-06-2022

Hi Rob,

Appreciate your response.

I already have the understanding that I have to use control plane ACL. Unlike regular access rules, there is no implicit deny at for control-plane ACL.So I dont need permit entry for ESP because I am not denying it to begin with. The purpose of blocking 500 is to block the non-trusted IP's who may use try brute force to break the pre-shared key. If I am successfully blocking ISAKMP then I dont need to worry about ESP or AH.

MHM Cisco World · ‎06-06-2022

that not what @Rob Ingram meaning
when the IPSec is establish is use UDP/500
this use for control and IPSec establish
BUT
the real data traffic will can use UDP 4500?why this
because the IPSec use this UDP to override any NAT in Path

and as @Rob Ingram suggest you need to allow this port.

this like for IPSec bypass the ASA but as @Rob Ingram with control-plane we can use same ACL but with keyword control-plane in end.

https://www.petenetlive.com/KB/Article/0001428

MHM Cisco World · ‎06-06-2022

My answer is correct by @Rob Ingram
thanks.

Rob Ingram · ‎06-06-2022

@MHM Cisco World that's incorrect, a "control-plane" ACL restricts traffic "to" the ASA itself, whereas a normal ACL is for traffic "through" the ASA.

S Kumar · ‎06-15-2022

If anyone else is looking for same solution, following has worked for me.

!
object-group network objTrustedVPNPeers
network-object host 1.1.1.1
network-object host 2.2.2.2
network-object host 3.3.3.3
!
access-list acl_ControlPlane extended permit udp object-group objTrustedVPNPeers any eq 500
access-list acl_ControlPlane extended deny udp any any eq 500
!
access-group acl_ControlPlane in interface outside control-plane
!