RE: ASA and IPSEC VPN filtering

Jay,

It doesn't control who can attempt a tunnel, but as you mentioned the sources are static that are allowed to connect. If the peer with that address/PSK/Certificate/prosposals/interesting traffic does not match, there will be no connection. That does meet the OP's original request in the first sentence. The AM requirement is where I was confused, if the peers are static or known from certain addresses, why would you need to leave open a dynamic or less secure method of connecting, unless the added speed of AM is really that much of a concern. Certificates are also an option.

-ryan
________________________________________
From: Jay McMickle [jay.mcmickle_at_yahoo.com]
Sent: Thursday, March 08, 2012 5:54 PM
To: Ryan West
Cc: JB Poplawski; Christopher Copley; Cisco certification
Subject: Re: ASA and IPSEC VPN filtering

Ryan- can you explain how MM protects who can attempt a tunnel to your ASA? Of course the peers are static, but how does MM mitigate the attempt? School me, please!

Regards,
Jay McMickle- CCNP,CCSP,CCDP
Sent from iJay

On Mar 8, 2012, at 4:47 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Or force your peers to main mode. Are those extra 4 exchanges really too much?
>
> Sent from handheld
>
> On Mar 8, 2012, at 5:43 PM, "JB Poplawski" <jb.poplawski_at_gmail.com> wrote:
>
>> But how do you protect the ASA that's protecting your ASA? :>)
>>
>> On Thu, Mar 8, 2012 at 4:33 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>>
>>> We put another device in front of our ASA's for this type of control. The
>>> ACL's you apply to the ASA's don't actually inspect for IPSEC tunnels, I
>>> don't believe. It's the outside interface you are trying to protect, and
>>> not traffic through the device, which makes sense why the ACL's aren't
>>> working. Kind of like SSH and ASDM access on the outside interface.
>>>
>>> Hope that helps.
>>>
>>> Regards,
>>> Jay McMickle- CCNP,CCSP,CCDP
>>> Sent from iJay
>>>
>>> On Mar 8, 2012, at 9:49 AM, Christopher Copley <copley.chris_at_gmail.com>
>>> wrote:
>>>
>>>> I have an ASA and I only want specific IP's to be able to access my ASA
>>> to
>>>> form an IPSEC peer. I created a rule for the outside interface to only
>>>> allow specific peers to be accepted via isakmp, and ESP, but the rule
>>>> never gets any hits. Is the ASA like the routers and the ACL's do not
>>>> apply to the ASA interfaces itself? Is it possible to filter out what
>>>> IP's I want the ASA to respond to via ESP and isakmp via an ACL? Long
>>> story
>>>> short I am being asked to do this b/c of aggressive mode for my VPN's.
>>>>
>>>> Thoughts?
>>>>
>>>>
>>>> --
>>>> Christopher D. Copley
>>>> copley.chris_at_gmail.com
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 08 2012 - 23:26:21 ART