topic Re: Block access to Remote Access VPN by IP Address in Network Security

Block access to Remote Access VPN by IP Address

PerryGuy621 — Fri, 21 May 2021 19:37:19 GMT

I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?

Thank you!

Re: Block access to Remote Access VPN by IP Address

Rob Ingram — Fri, 21 May 2021 19:46:12 GMT

@PerryGuy621

No you cannot currently use Geolocation to block traffic "to" the FTD to filter VPN connections. Still an unresolved and open feature request...

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/?rfs=iqvred

Use flexconfig to apply a control plane ACL, or filter on the upstream router or place another FTD in front of the RAVPN FTD.

Re: Block access to Remote Access VPN by IP Address

PerryGuy621 — Fri, 21 May 2021 19:52:30 GMT

Is there any documentation on what the control plane ACL would need to look like? Are we able to use a network object group along with it?

Re: Block access to Remote Access VPN by IP Address

balaji.bandi — Sat, 22 May 2021 09:24:42 GMT

here it will give you high level control plan ACL information : (HTH)

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

Re: Block access to Remote Access VPN by IP Address

Marvin Rhoads — Sun, 23 May 2021 04:38:16 GMT

You should be able to use a normal extended ACL object (including network object group). Just add the parameter "control-plane" at the end of the access-group command which applies the ACL to the interface.

Re: Block access to Remote Access VPN by IP Address

GSAInfra — Mon, 31 May 2021 10:13:04 GMT

And how do I do this in FMC?

This is ridiculous, how do I block IP address from trying to establish a VPN connection? It is such a basic, fundamnetal request, for god sake.

Re: Block access to Remote Access VPN by IP Address

rschlayer — Tue, 01 Jun 2021 08:16:48 GMT

For what it`s worth you could utilize an MFA solution (which you should have anyway) which allows GEO blocks (like DUO MFA).

Re: Block access to Remote Access VPN by IP Address

Marvin Rhoads — Wed, 02 Jun 2021 17:52:52 GMT

I just tested and confirmed this can be done in FMC.

https://community.cisco.com/t5/network-security/ftd-remote-access-vpn-restriction/m-p/4411914#M1081231

Short steps:

1. Create an extended ACL object that denies the sources you want to block and allows all others.

Extended ACL object

2.Create a Flexconfig object that defines a variable linked to the ACL you just created.

Flexconfig variable

3. Create a second Flexconfig object that references the ACL variable and applies it to the desired interface including the "control-plane" keyword.

Flexconfig object

4. Create and deploy a Flexconfig policy to the target FTD device(s).

Flexconfig policy

Re: Block access to Remote Access VPN by IP Address

jasond — Mon, 24 Jan 2022 04:01:59 GMT

Will applying the extended ACL to the Outside interface not override the Access Control Policy defined within the FMC (under Policies>Access Control)?

Re: Block access to Remote Access VPN by IP Address

Rob Ingram — Mon, 24 Jan 2022 08:18:27 GMT

@jasond no, a control-plane ACL applied inbound on the outside interface will filter traffic "to" the FTD. The ACP controls traffic "through" the FTD.

The control-plane would permit or deny the VPN connection from being established, the ACP would control the communication if the VPN is established.

Re: Block access to Remote Access VPN by IP Address

darrendanko12 — Fri, 13 Jan 2023 17:29:27 GMT

Sorry to bring something up from the dead, but I was curious why the multiple steps (which I plan to use) in the Marvin version (Thank you, Marvin!!) vs the steps in this link - https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/
More control of the different parts?
Thank you!!

Darren

Re: Block access to Remote Access VPN by IP Address

Marius Gunnerud — Sat, 14 Jan 2023 09:56:09 GMT

The two are basically the same, just that the one @Marvin Rhoads has shown creates it using GUI and reusable objects, while the one in the link you posted creates this using ASA commands directly into the FlexConfig, but will not be available for re-use in any other configuration.

Re: Block access to Remote Access VPN by IP Address

rtrefz — Wed, 22 Feb 2023 01:02:48 GMT

Another thread necro:

Why are there 2 flex-config objects? It looks like the first one creates a variable, but it isn't referenced in the 2nd flexconfig object. I'm wondering if this is a typo, or do you not need the first object.

Re: Block access to Remote Access VPN by IP Address

Marvin Rhoads — Wed, 22 Feb 2023 14:00:30 GMT

It's a typo. I should have shown the creation of contolplaneacl object in the first step.

Re: Block access to Remote Access VPN by IP Address

rtrefz — Wed, 22 Feb 2023 14:17:30 GMT

Thanks!

What sort of object is controlplaneacl? What information does it contain?

Re: Block access to Remote Access VPN by IP Address

Marvin Rhoads — Wed, 22 Feb 2023 14:43:55 GMT

It's an extended ACL. Looks the same as the object ACL-Control_Plane-Test that I showed, but with a name that was more acceptable for parsing by Flexconfig.

Basically you block the IPs/objects you want to prevent from RA VPN access and allow everything else.

Re: Block access to Remote Access VPN by IP Address

thegreatone — Fri, 10 Mar 2023 17:00:36 GMT

Is this still the only way to accomplish this? Can we not do geo-ip based restrictions for control plane traffic even now?

Re: Block access to Remote Access VPN by IP Address

Marvin Rhoads — Fri, 10 Mar 2023 17:18:52 GMT

Not yet - but it is in the roadmap for an upcoming release.

Re: Block access to Remote Access VPN by IP Address

scottyd — Thu, 30 Mar 2023 02:03:55 GMT

Unbelievable. A basic function of a firewall. No wonder my colleges are switching to Checkpoint.

Re: Block access to Remote Access VPN by IP Address

ChadH63728 — Sun, 11 Jun 2023 00:13:38 GMT

Do you know if this will this work with an ASA SFR?