Re: ASA and IPSEC VPN filtering

Joe,

That command requires outside acl's for VPN traffic. Default interesting VPN traffic passes unfiltered.

Sent from handheld

On Mar 8, 2012, at 6:40 PM, "Joe Astorino" <joeastorino1982_at_gmail.com> wrote:

> I think "no sysopt connection permit-vpn" might prevent the IKE from
> terminating on the outside wothout an ACL but not sure. Even if, it
> becomes a nightmare to manage VPN that way
>
> On 3/8/12, Ryan West <rwest_at_zyedge.com> wrote:
>> Jay,
>>
>> It doesn't control who can attempt a tunnel, but as you mentioned the
>> sources are static that are allowed to connect. If the peer with that
>> address/PSK/Certificate/prosposals/interesting traffic does not match, there
>> will be no connection. That does meet the OP's original request in the
>> first sentence. The AM requirement is where I was confused, if the peers
>> are static or known from certain addresses, why would you need to leave open
>> a dynamic or less secure method of connecting, unless the added speed of AM
>> is really that much of a concern. Certificates are also an option.
>>
>> -ryan
>> ________________________________________
>> From: Jay McMickle [jay.mcmickle_at_yahoo.com]
>> Sent: Thursday, March 08, 2012 5:54 PM
>> To: Ryan West
>> Cc: JB Poplawski; Christopher Copley; Cisco certification
>> Subject: Re: ASA and IPSEC VPN filtering
>>
>> Ryan- can you explain how MM protects who can attempt a tunnel to your ASA?
>> Of course the peers are static, but how does MM mitigate the attempt? School
>> me, please!
>>
>> Regards,
>> Jay McMickle- CCNP,CCSP,CCDP
>> Sent from iJay
>>
>> On Mar 8, 2012, at 4:47 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>>> Or force your peers to main mode. Are those extra 4 exchanges really too
>>> much?
>>>
>>> Sent from handheld
>>>
>>> On Mar 8, 2012, at 5:43 PM, "JB Poplawski" <jb.poplawski_at_gmail.com> wrote:
>>>
>>>> But how do you protect the ASA that's protecting your ASA? :>)
>>>>
>>>> On Thu, Mar 8, 2012 at 4:33 PM, Jay McMickle <jay.mcmickle_at_yahoo.com>
>>>> wrote:
>>>>
>>>>> We put another device in front of our ASA's for this type of control.
>>>>> The
>>>>> ACL's you apply to the ASA's don't actually inspect for IPSEC tunnels, I
>>>>> don't believe. It's the outside interface you are trying to protect,
>>>>> and
>>>>> not traffic through the device, which makes sense why the ACL's aren't
>>>>> working. Kind of like SSH and ASDM access on the outside interface.
>>>>>
>>>>> Hope that helps.
>>>>>
>>>>> Regards,
>>>>> Jay McMickle- CCNP,CCSP,CCDP
>>>>> Sent from iJay
>>>>>
>>>>> On Mar 8, 2012, at 9:49 AM, Christopher Copley <copley.chris_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I have an ASA and I only want specific IP's to be able to access my ASA
>>>>> to
>>>>>> form an IPSEC peer. I created a rule for the outside interface to only
>>>>>> allow specific peers to be accepted via isakmp, and ESP, but the rule
>>>>>> never gets any hits. Is the ASA like the routers and the ACL's do not
>>>>>> apply to the ASA interfaces itself? Is it possible to filter out what
>>>>>> IP's I want the ASA to respond to via ESP and isakmp via an ACL? Long
>>>>> story
>>>>>> short I am being asked to do this b/c of aggressive mode for my VPN's.
>>>>>>
>>>>>> Thoughts?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Christopher D. Copley
>>>>>> copley.chris_at_gmail.com
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
> --
> Sent from my mobile device
>
> Regards,
>
> Joe Astorino
> CCIE #24347
> http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan

Blogs and organic groups at http://www.ccie.net
Received on Fri Mar 09 2012 - 01:29:39 ART