block access to my RA VPN

Nadi · ‎08-24-2024

i need to block access to my RA VPN using the IP i need this VPN to be accessed via the URL

what i mean that i have an FTD 2110 with RA VPN
users can access the Web page of the VPN using both IP of the outside interface and the URL

i need to force users to use the URL only

M02@rt37 · ‎08-24-2024

Hello @Nadi

This can be achieved by setting up an access rule that denies traffic to the outside interface's IP on the ports used by the VPN (e.g., HTTPS for web access) but allows traffic directed to the same port when accessed via the specific URL. Additionally, implementing DNS filtering or modifying the DNS response for your users to only resolve the URL while not exposing the IP address directly can help enforce this policy.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Nadi · ‎08-24-2024

can you please share how to create this access list and how we deny traffic to IP and allow it for URL

is this a control plane access list or normal access rule

MHM Cisco World · ‎08-25-2024

Friend no way' dns resolve to IP and both case the RA VPN can use any URL or IP to connect.

By the way why you want to do that ? Maybe we search in wrong place

MHM

Nadi · ‎08-25-2024

A pen test happened to our company and recommended that

ccieexpert · ‎08-25-2024

not possible as the ip is the same both dns and ip..

there is another way

ciscoasa# sh run tunnel-group
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication saml
tunnel-group tomvpn type remote-access
tunnel-group tomvpn webvpn-attributes

there are ways to tweak this.. i created a new tunnel group tomvpn for the fqdn and the ip address matches with the defaultwebvpn tunnel group.. in the default webvpn tunnel group i set it to do SAML auth, which is not configured, so they get a error..

there may be other ways to tweak it further...
group-url https://tomvpn.mydomain.com enable

**Please rate this as helpful if this was useful**

Amine ZAKARIA · ‎08-25-2024

Hello,

AFAIK the firepower does not support Geolocation for RA VPN , you need to use ACL Control Plane. In case the remote users are all on the same country then allow your country public ip range and deny the rest. or depend on your environment if you have a firewall placed before the FPP you can use the Geolocation. or you can apply the ACL on the router publicly facing the internet.

About the fqdn instead of ip, for what reason the pentester recommended that ? By using the fqdn also there is the risk of dns spoofing.

If you still want to achieve this, you need a loadbalacing/WAF to allow only specific URL.

Are you using MFA with the RA VPN ? is Radius used or LDAP?

Regards!

Don't forget to rate helpful posts!

Marius Gunnerud · ‎08-26-2024

The problem here is that you need the IP to be able to connect to the VPN. URL is just a more human friendly way of defining the IP, but it still resolves to the same IP.

To add to what others have mentioned here, another method to make this more secure is to implement certificate authentication. That way anyone connecting that does not have a valid certificate will be refused access.

--
Please remember to select a correct answer and rate helpful posts