Re: ASA and IPSEC VPN filtering

From: Ryan West <rwest_at_zyedge.com>
Date: Thu, 8 Mar 2012 22:47:03 +0000

Or force your peers to main mode. Are those extra 4 exchanges really too much?

Sent from handheld

On Mar 8, 2012, at 5:43 PM, "JB Poplawski" <jb.poplawski_at_gmail.com> wrote:

> But how do you protect the ASA that's protecting your ASA? :>)
>
> On Thu, Mar 8, 2012 at 4:33 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>
>> We put another device in front of our ASA's for this type of control. The
>> ACL's you apply to the ASA's don't actually inspect for IPSEC tunnels, I
>> don't believe. It's the outside interface you are trying to protect, and
>> not traffic through the device, which makes sense why the ACL's aren't
>> working. Kind of like SSH and ASDM access on the outside interface.
>>
>> Hope that helps.
>>
>> Regards,
>> Jay McMickle- CCNP,CCSP,CCDP
>> Sent from iJay
>>
>> On Mar 8, 2012, at 9:49 AM, Christopher Copley <copley.chris_at_gmail.com>
>> wrote:
>>
>>> I have an ASA and I only want specific IP's to be able to access my ASA
>> to
>>> form an IPSEC peer. I created a rule for the outside interface to only
>>> allow specific peers to be accepted via isakmp, and ESP, but the rule
>>> never gets any hits. Is the ASA like the routers and the ACL's do not
>>> apply to the ASA interfaces itself? Is it possible to filter out what
>>> IP's I want the ASA to respond to via ESP and isakmp via an ACL? Long
>> story
>>> short I am being asked to do this b/c of aggressive mode for my VPN's.
>>>
>>> Thoughts?
>>>
>>>
>>> --
>>> Christopher D. Copley
>>> copley.chris_at_gmail.com
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 08 2012 - 22:47:03 ART

This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART