Re: ASA and IPSEC VPN filtering

Okay, thanks. We're on the same page.

Regards,
Jay McMickle- CCNP,CCSP,CCDP
Sent from iJay

On Mar 8, 2012, at 5:26 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Jay,
>
> It doesn't control who can attempt a tunnel, but as you mentioned the sources are static that are allowed to connect. If the peer with that address/PSK/Certificate/prosposals/interesting traffic does not match, there will be no connection. That does meet the OP's original request in the first sentence. The AM requirement is where I was confused, if the peers are static or known from certain addresses, why would you need to leave open a dynamic or less secure method of connecting, unless the added speed of AM is really that much of a concern. Certificates are also an option.
>
> -ryan
> ________________________________________
> From: Jay McMickle [jay.mcmickle_at_yahoo.com]
> Sent: Thursday, March 08, 2012 5:54 PM
> To: Ryan West
> Cc: JB Poplawski; Christopher Copley; Cisco certification
> Subject: Re: ASA and IPSEC VPN filtering
>
> Ryan- can you explain how MM protects who can attempt a tunnel to your ASA? Of course the peers are static, but how does MM mitigate the attempt? School me, please!
>
> Regards,
> Jay McMickle- CCNP,CCSP,CCDP
> Sent from iJay
>
> On Mar 8, 2012, at 4:47 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>> Or force your peers to main mode. Are those extra 4 exchanges really too much?
>>
>> Sent from handheld
>>
>> On Mar 8, 2012, at 5:43 PM, "JB Poplawski" <jb.poplawski_at_gmail.com> wrote:
>>
>>> But how do you protect the ASA that's protecting your ASA? :>)
>>>
>>> On Thu, Mar 8, 2012 at 4:33 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>>>
>>>> We put another device in front of our ASA's for this type of control. The
>>>> ACL's you apply to the ASA's don't actually inspect for IPSEC tunnels, I
>>>> don't believe. It's the outside interface you are trying to protect, and
>>>> not traffic through the device, which makes sense why the ACL's aren't
>>>> working. Kind of like SSH and ASDM access on the outside interface.
>>>>
>>>> Hope that helps.
>>>>
>>>> Regards,
>>>> Jay McMickle- CCNP,CCSP,CCDP
>>>> Sent from iJay
>>>>
>>>> On Mar 8, 2012, at 9:49 AM, Christopher Copley <copley.chris_at_gmail.com>
>>>> wrote:
>>>>
>>>>> I have an ASA and I only want specific IP's to be able to access my ASA
>>>> to
>>>>> form an IPSEC peer. I created a rule for the outside interface to only
>>>>> allow specific peers to be accepted via isakmp, and ESP, but the rule
>>>>> never gets any hits. Is the ASA like the routers and the ACL's do not
>>>>> apply to the ASA interfaces itself? Is it possible to filter out what
>>>>> IP's I want the ASA to respond to via ESP and isakmp via an ACL? Long
>>>> story
>>>>> short I am being asked to do this b/c of aggressive mode for my VPN's.
>>>>>
>>>>> Thoughts?
>>>>>
>>>>>
>>>>> --
>>>>> Christopher D. Copley
>>>>> copley.chris_at_gmail.com
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 08 2012 - 17:55:27 ART