topic Re: Block IP in Network Security

Block IP

kostasthedelegate — Tue, 18 May 2021 08:28:55 GMT

Hello,

I have a pair of 2120 managed by FMC.

I would like to block an IP that tries to connect to my vpn.

I have fastpath policy and access policy

I have put it in Security intelligence and it still passes to my authentication server, where it is blocked.

Where is the best point to cut it?

Thanks and regards,

Konstantinos

Re: Block IP

Marvin Rhoads — Tue, 18 May 2021 08:31:46 GMT

Assuming the VPN is hosted on the Firepower 2120s, the prefilter and access control policies you can setup in the GUI all apply to traffic THROUGH the device - not traffic TO the device.

However, you should be able to create a control plane ACL via Flexconfig to restrict a single IP.

https://community.cisco.com/t5/network-security/ftd-remote-access-vpn-restriction/td-p/3765784

Re: Block IP

Rob Ingram — Tue, 18 May 2021 08:32:33 GMT

@kostasthedelegate

Not possible on FTD AFAIK, the ACP and Pre-Filter rules are for traffic "through" the FTD, not "to" the FTD itself (VPN). You alternative is to place an ACL on the upstream router and block the IP address(es) and permit all else.

HTH

Re: Block IP

kostasthedelegate — Tue, 18 May 2021 08:49:04 GMT

Hello Marvin,

Thank you for the answer

So the ACL on the Flexconfig where should be applied?

Are there any instructions?

Regads,

Konstantinos

Re: Block IP

kostasthedelegate — Tue, 18 May 2021 13:01:46 GMT

Hello everyone,

I created the flexconfig object below

I see after deployment in the cli that the commands are created

access-list VPN-Blacklist extended deny object-group ProxySG_ExtendedACL_154618915929 object-group x-Blacklist any
access-list VPN-Blacklist extended permit object-group ProxySG_ExtendedACL_154618915933 any any
access-group VPN-Blacklist in interface xxxxx
access-group VPN-Blacklist in interface yyyyy

But still the IP is not blocked

Any ideas?

Re: Block IP

Rob Ingram — Tue, 18 May 2021 13:28:27 GMT

@kostasthedelegate

I've never tried on FTD using Flexconfig (I wasn't sure it worked) but certainly when configuring using ASA, you append the word "control-plane" E.g.

access-group OUTSIDE_CP in interface OUTSIDE control-plane

Re: Block IP

Marvin Rhoads — Tue, 18 May 2021 13:31:41 GMT

That's right @Rob Ingram - we need to specify the "control-plane" parameter in the access-group command.

Re: Block IP

kostasthedelegate — Tue, 18 May 2021 13:49:24 GMT

Hello

I tried with the control-plane and still I have access using a specific IP.

Regards,

Konstantinos

Re: Block IP

Marvin Rhoads — Tue, 18 May 2021 13:54:10 GMT

Did you clear the connections for that IP after applying the ACL? Existing connections won't be affected by an ACL update.

If you have cleared the connections and are still seeing the address able to access the VPN, it might be time to ask the TAC to look at in in real time for you.

Re: Block IP

kostasthedelegate — Tue, 18 May 2021 13:57:14 GMT

No I did not!!
I will try it and update.

Thank you for your help

Re: Block IP

kostasthedelegate — Wed, 19 May 2021 08:32:18 GMT

I issued

clear conn address x.x.x.x

but it did not change sth.