Re: ASA and IPSEC VPN filtering

So it does -- my mistake

On 3/8/12, Ryan West <rwest_at_zyedge.com> wrote:
> Joe,
>
> That command requires outside acl's for VPN traffic. Default interesting
> VPN traffic passes unfiltered.
>
> Sent from handheld
>
> On Mar 8, 2012, at 6:40 PM, "Joe Astorino" <joeastorino1982_at_gmail.com>
> wrote:
>
>> I think "no sysopt connection permit-vpn" might prevent the IKE from
>> terminating on the outside wothout an ACL but not sure. Even if, it
>> becomes a nightmare to manage VPN that way
>>
>> On 3/8/12, Ryan West <rwest_at_zyedge.com> wrote:
>>> Jay,
>>>
>>> It doesn't control who can attempt a tunnel, but as you mentioned the
>>> sources are static that are allowed to connect. If the peer with that
>>> address/PSK/Certificate/prosposals/interesting traffic does not match,
>>> there
>>> will be no connection. That does meet the OP's original request in the
>>> first sentence. The AM requirement is where I was confused, if the peers
>>> are static or known from certain addresses, why would you need to leave
>>> open
>>> a dynamic or less secure method of connecting, unless the added speed of
>>> AM
>>> is really that much of a concern. Certificates are also an option.
>>>
>>> -ryan
>>> ________________________________________
>>> From: Jay McMickle [jay.mcmickle_at_yahoo.com]
>>> Sent: Thursday, March 08, 2012 5:54 PM
>>> To: Ryan West
>>> Cc: JB Poplawski; Christopher Copley; Cisco certification
>>> Subject: Re: ASA and IPSEC VPN filtering
>>>
>>> Ryan- can you explain how MM protects who can attempt a tunnel to your
>>> ASA?
>>> Of course the peers are static, but how does MM mitigate the attempt?
>>> School
>>> me, please!
>>>
>>> Regards,
>>> Jay McMickle- CCNP,CCSP,CCDP
>>> Sent from iJay
>>>
>>> On Mar 8, 2012, at 4:47 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>>
>>>> Or force your peers to main mode. Are those extra 4 exchanges really
>>>> too
>>>> much?
>>>>
>>>> Sent from handheld
>>>>
>>>> On Mar 8, 2012, at 5:43 PM, "JB Poplawski" <jb.poplawski_at_gmail.com>
>>>> wrote:
>>>>
>>>>> But how do you protect the ASA that's protecting your ASA? :>)
>>>>>
>>>>> On Thu, Mar 8, 2012 at 4:33 PM, Jay McMickle <jay.mcmickle_at_yahoo.com>
>>>>> wrote:
>>>>>
>>>>>> We put another device in front of our ASA's for this type of control.
>>>>>> The
>>>>>> ACL's you apply to the ASA's don't actually inspect for IPSEC tunnels,
>>>>>> I
>>>>>> don't believe. It's the outside interface you are trying to protect,
>>>>>> and
>>>>>> not traffic through the device, which makes sense why the ACL's aren't
>>>>>> working. Kind of like SSH and ASDM access on the outside interface.
>>>>>>
>>>>>> Hope that helps.
>>>>>>
>>>>>> Regards,
>>>>>> Jay McMickle- CCNP,CCSP,CCDP
>>>>>> Sent from iJay
>>>>>>
>>>>>> On Mar 8, 2012, at 9:49 AM, Christopher Copley
>>>>>> <copley.chris_at_gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I have an ASA and I only want specific IP's to be able to access my
>>>>>>> ASA
>>>>>> to
>>>>>>> form an IPSEC peer. I created a rule for the outside interface to
>>>>>>> only
>>>>>>> allow specific peers to be accepted via isakmp, and ESP, but the
>>>>>>> rule
>>>>>>> never gets any hits. Is the ASA like the routers and the ACL's do
>>>>>>> not
>>>>>>> apply to the ASA interfaces itself? Is it possible to filter out
>>>>>>> what
>>>>>>> IP's I want the ASA to respond to via ESP and isakmp via an ACL? Long
>>>>>> story
>>>>>>> short I am being asked to do this b/c of aggressive mode for my
>>>>>>> VPN's.
>>>>>>>
>>>>>>> Thoughts?
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Christopher D. Copley
>>>>>>> copley.chris_at_gmail.com
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Sent from my mobile device
>>
>> Regards,
>>
>> Joe Astorino
>> CCIE #24347
>> http://astorinonetworks.com
>>
>> "He not busy being born is busy dying" - Dylan
>

-- 
Sent from my mobile device
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net