topic Re: block access to my RA VPN in Network Security

block access to my RA VPN

Nadi — Sat, 24 Aug 2024 22:57:51 GMT

i need to block access to my RA VPN using the IP i need this VPN to be accessed via the URL

what i mean that i have an FTD 2110 with RA VPN
users can access the Web page of the VPN using both IP of the outside interface and the URL

i need to force users to use the URL only

Re: block access to my RA VPN

M02@rt37 — Sun, 25 Aug 2024 06:20:37 GMT

Hello @Nadi

This can be achieved by setting up an access rule that denies traffic to the outside interface's IP on the ports used by the VPN (e.g., HTTPS for web access) but allows traffic directed to the same port when accessed via the specific URL. Additionally, implementing DNS filtering or modifying the DNS response for your users to only resolve the URL while not exposing the IP address directly can help enforce this policy.

Re: block access to my RA VPN

Nadi — Sun, 25 Aug 2024 06:29:06 GMT

can you please share how to create this access list and how we deny traffic to IP and allow it for URL

is this a control plane access list or normal access rule

Re: block access to my RA VPN

MHM Cisco World — Sun, 25 Aug 2024 08:51:14 GMT

Friend no way' dns resolve to IP and both case the RA VPN can use any URL or IP to connect.

By the way why you want to do that ? Maybe we search in wrong place

MHM

Re: block access to my RA VPN

Nadi — Sun, 25 Aug 2024 09:04:15 GMT

A pen test happened to our company and recommended that

Re: block access to my RA VPN

Amine ZAKARIA — Sun, 25 Aug 2024 12:39:20 GMT

Hello,

AFAIK the firepower does not support Geolocation for RA VPN , you need to use ACL Control Plane. In case the remote users are all on the same country then allow your country public ip range and deny the rest. or depend on your environment if you have a firewall placed before the FPP you can use the Geolocation. or you can apply the ACL on the router publicly facing the internet.

About the fqdn instead of ip, for what reason the pentester recommended that ? By using the fqdn also there is the risk of dns spoofing.

If you still want to achieve this, you need a loadbalacing/WAF to allow only specific URL.

Are you using MFA with the RA VPN ? is Radius used or LDAP?

Regards!

Don't forget to rate helpful posts!

Re: block access to my RA VPN

ccieexpert — Mon, 26 Aug 2024 00:08:40 GMT

not possible as the ip is the same both dns and ip..

there is another way

ciscoasa# sh run tunnel-group
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication saml
tunnel-group tomvpn type remote-access
tunnel-group tomvpn webvpn-attributes

there are ways to tweak this.. i created a new tunnel group tomvpn for the fqdn and the ip address matches with the defaultwebvpn tunnel group.. in the default webvpn tunnel group i set it to do SAML auth, which is not configured, so they get a error..

there may be other ways to tweak it further...
group-url https://tomvpn.mydomain.com enable

**Please rate this as helpful if this was useful**

Re: block access to my RA VPN

Marius Gunnerud — Mon, 26 Aug 2024 10:54:08 GMT

The problem here is that you need the IP to be able to connect to the VPN. URL is just a more human friendly way of defining the IP, but it still resolves to the same IP.

To add to what others have mentioned here, another method to make this more secure is to implement certificate authentication. That way anyone connecting that does not have a valid certificate will be refused access.

Re: block access to my RA VPN

ahmed-serag — Wed, 16 Jul 2025 08:34:38 GMT

I have just faced an issue like this and after investigating here you are the solution

first you need to enforce the users to access only URLs not IPs by removing the whole option called Block Connections for untrusted serves by modifying File called AnyConnectLocalPolicy.xml located in C:\ProgramData\Cisco\Cisco Secure Client

you can just modify this row <StrictCertificateTrust>False</StrictCertificateTrust> to True and then pushed this file after modification to all corporate devices

this will enforce the users to use only trusted URL links