Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7010
Views
5
Helpful
4
Replies

Restrict certain IP addresses for establishing IPSec

Go to solution
ivanbarkic
Level 1
Level 1

‎11-18-2013 08:02 AM - edited ‎02-21-2020 07:19 PM

Is it possible on Cisco ASA 55xx to restrict (to filter) certain public IP addresses which would be THE ONLY addresses able to establish Remote Access IPSec VPN using Cisco VPN client? Let's assume that Cisco VPN client establishes VPN connection from fix public IP address (always the same).

So, I am not talking about ACL actions on VPN traffic. I'm asking about establishing IPSec tunnel and preventing some public IPs of even trying that.

Thanks.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
malshbou
Level 1
Level 1

‎11-18-2013 10:30 AM

Hi Ivan,

You may use control-plane access-list to filter the VPN connections to the ASA by blocking UDP 500.

For example:

ciscoasa(config)# access-list FILTER-VPN deny udp host host   eq 500

ciscoasa(config)# access-list FILTER-VPN permit ip any any

ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane

Regards.

----
Mashal Shboul

-------

Edit: Didn't see Marcins' reply

Message was edited by: Mashal Alshboul

------------------ Mashal Shboul

View solution in original post

4 Replies 4

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-18-2013 10:24 AM 

bsns-asa5505-19(config)# access-group IN in interface outside ?
configure mode commands/options:
  control-plane      Specify if rule is for to-the-box traffic

For example from:

http://blog.ipexpert.com/2011/01/05/asa-control-plane-access-list/

I'm not saying it's a smart thing to do, but it's a possibilty...

0 Helpful

Go to solution
malshbou
Level 1
Level 1

‎11-18-2013 10:30 AM

Hi Ivan,

You may use control-plane access-list to filter the VPN connections to the ASA by blocking UDP 500.

For example:

ciscoasa(config)# access-list FILTER-VPN deny udp host host   eq 500

ciscoasa(config)# access-list FILTER-VPN permit ip any any

ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane

Regards.

----
Mashal Shboul

-------

Edit: Didn't see Marcins' reply

Message was edited by: Mashal Alshboul

------------------ Mashal Shboul

Go to solution
ivanbarkic
Level 1
Level 1
In response to malshbou

‎11-19-2013 04:55 AM

Hi,

thanks for the answer. That will do just fine.

If I put ssh 0 0 outside the mgmt traffic will still be able to hit outside interface even it is not permited in FILTER-VPN cp acl, right? I read that it takes precedence over cp acl.

Regards

0 Helpful

Go to solution
malshbou
Level 1
Level 1
In response to ivanbarkic

‎11-19-2013 05:04 AM

Hi Ivan,

Yes, the "ssh 0 0 outside" overrides the control-plane ACL and allows the SSH connections to the ASA.

Actually this statement creates  the following implicit ACL to permit the SSH traffic:

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x732d57e8, priority=121, domain=permit, deny=false

        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=22, dscp=0x0

        input_ifc=outside, output_ifc=identity

Hope this helps

---
Mashal Shboul

------------------ Mashal Shboul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents