topic Re: FTD Remote Access VPN Restriction in Network Security

FTD Remote Access VPN Restriction

orkhan.rustamli.96 — Tue, 12 Mar 2019 11:17:39 GMT

Hello, everyone. We have implemented Anyconnect RA VPN on FTD device. However now i want to restrict from which source global IP Addresses i can connect to. I now in ASA it can be done by control-plane ACL but in FTD i do not see any place to configure it.

Re: FTD Remote Access VPN Restriction

Abheesh Kumar — Tue, 18 Dec 2018 20:36:55 GMT

Hi,

Try to create a deny rule in pre-filter policy with the source IP you would like to restrict.

HTH

Abheesh

Re: FTD Remote Access VPN Restriction

orkhan.rustamli.96 — Wed, 19 Dec 2018 09:02:23 GMT

No, It didnot work as i expected. Because ACP and Prefilter Policies are for passthrough traffic. I needed ACL for control plane that i implemented using flexconfig. I denied only my phones global IP into FTD`s vpn webpage and permitted any any. But this way noone could open that webpage

Re: FTD Remote Access VPN Restriction

Marvin Rhoads — Thu, 20 Dec 2018 09:33:58 GMT

As far as I know, control plane type ACL is not currently offered as a feature on FTD.

Re: FTD Remote Access VPN Restriction

orkhan.rustamli.96 — Fri, 21 Dec 2018 05:28:25 GMT

I see. I have also seen that access-group command is not supported by Flex so that means i would not be able to apply access-list to-the-box. It is disappointing. I think i have to change my NGFW to another vendor.

Re: FTD Remote Access VPN Restriction

Marvin Rhoads — Fri, 21 Dec 2018 08:07:42 GMT

Even on ASAs, that's a very uncommonly used feature. I have worked on hundreds of customer ASAs and never seen it used.

What's your use case (business requirement) making it critical for you?

Re: FTD Remote Access VPN Restriction

orkhan.rustamli.96 — Thu, 17 Jan 2019 07:54:25 GMT

The director of security department requires it from me so that only IP addresses from my country can connect to out RA VPN. Actually i have opened TAC case. We have worked together with an engineer, deployed control-plane ACL by Flex but with no result. This issue is already a bug case and waiting response from devolopers whether it is bug or control-plane acl is not yet supported on FTD

Re: FTD Remote Access VPN Restriction

Abheesh Kumar — Thu, 17 Jan 2019 12:10:31 GMT

Hi Orkhan,
Please share the details once you get update from TAC. As i am also in a very similar situation now that one of my customer required the exact thing. They wan to allow only RA-VPN to be accessed from some specific country IP's.

Thanks,
Abheesh

Re: FTD Remote Access VPN Restriction

orkhan.rustamli.96 — Fri, 18 Jan 2019 07:50:58 GMT

Hello Abheesh,

You can check the case status via this link: CSCvn78593. As TAC advised me not to wait a quick action for this problem. Whether this is bug or not supported in FTD, it may take really long time to be added. My advise to you put another ASA for only RA VPN behind FTD devices and cut traffic with basic ACL or Prefilter. Thanks in advance!

Re: FTD Remote Access VPN Restriction

Abheesh Kumar — Fri, 18 Jan 2019 10:21:55 GMT

Hi Orkhan,
Thank you for sharing the details.

Re: FTD Remote Access VPN Restriction

Marvin Rhoads — Fri, 18 Jan 2019 11:29:41 GMT

If you put your RA-dedicated ASA inside on the FTD device then you can use Geoblocking in your ACP rule.

Re: FTD Remote Access VPN Restriction

jovalo — Fri, 17 May 2019 14:23:52 GMT

It seems to be fixed now... since 6.2.3.12 and later. And for the 6.3 since 6.3.0.3.

I was also waiting for this.

Re: FTD Remote Access VPN Restriction

Spyros Kasapis — Fri, 29 May 2020 16:09:49 GMT

Is it fixed in version 6.6. ?

Re: FTD Remote Access VPN Restriction

jovalo — Fri, 29 May 2020 18:14:31 GMT

Yes if it was already fixed in later releases of 6.2 and 6.3 then I suppose it will also work with 6.6 with flexconfig.

Re: FTD Remote Access VPN Restriction

Marvin Rhoads — Mon, 22 Jun 2020 09:03:59 GMT

Even though control-plane ACLs are technically supported with Flexconfig, it is not currently supported (as of 6.6) to do geoblocking of RA VPN that way.

A TAC engineer confirmed this with me just today. There is an (currently unpublished) enhancement bugID for this: CSCvs65322 ENH | Geo-location based AnyConnect Client connections

Re: FTD Remote Access VPN Restriction

Transcom Network Support — Mon, 22 Jun 2020 09:51:04 GMT

Re: FTD Remote Access VPN Restriction

giovanni.augusto — Mon, 22 Jun 2020 09:52:28 GMT

Nowdays FTD major missing in terms of Remote Access and tunneling are the following (in my opinion)
- Lack of Geographical restrictions for remote access tunnel group (should be for each tunnel group, makes no sense to do it for the whole firewall interface) and anonymizers
- Lack of SAML authentication support for Remote Access
- Lack of VTI tunnel interfaces -> this is really a major drawbacks for hybrid cloud connectivity

Re: FTD Remote Access VPN Restriction

Marvin Rhoads — Mon, 22 Jun 2020 10:06:35 GMT

@giovanni.augusto #2 and #3 should be coming in Firepower 6.7 this fall.

For #1 I agree - be sure to contact your Cisco account manager and mention ENH bugID CSCvs65322 !

Re: FTD Remote Access VPN Restriction

Spyros Kasapis — Mon, 16 Nov 2020 11:57:31 GMT

any update in version 6.7 ?

Re: FTD Remote Access VPN Restriction

steve121 — Thu, 20 May 2021 21:48:01 GMT

Any links on what you actually put in the flexconfig?

My scenario is remote access is getting brute force attacked and failing on the auth but we want to block that traffic by geo so it doesn't get that far.