Re: Block access to Remote Access VPN by IP Address

PerryGuy621 · ‎05-21-2021

I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?

Thank you!

Rob Ingram · ‎05-21-2021

@PerryGuy621

No you cannot currently use Geolocation to block traffic "to" the FTD to filter VPN connections. Still an unresolved and open feature request...

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/?rfs=iqvred

Use flexconfig to apply a control plane ACL, or filter on the upstream router or place another FTD in front of the RAVPN FTD.

PerryGuy621 · ‎05-21-2021

Is there any documentation on what the control plane ACL would need to look like? Are we able to use a network object group along with it?

balaji.bandi · ‎05-22-2021

here it will give you high level control plan ACL information : (HTH)

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎05-22-2021

You should be able to use a normal extended ACL object (including network object group). Just add the parameter "control-plane" at the end of the access-group command which applies the ACL to the interface.

GSAInfra · ‎05-31-2021

And how do I do this in FMC?

This is ridiculous, how do I block IP address from trying to establish a VPN connection? It is such a basic, fundamnetal request, for god sake.

rschlayer · ‎06-01-2021

For what it`s worth you could utilize an MFA solution (which you should have anyway) which allows GEO blocks (like DUO MFA).

Marvin Rhoads · ‎06-02-2021

I just tested and confirmed this can be done in FMC.

https://community.cisco.com/t5/network-security/ftd-remote-access-vpn-restriction/m-p/4411914#M1081231

Short steps:

1. Create an extended ACL object that denies the sources you want to block and allows all others.

Extended ACL object

2.Create a Flexconfig object that defines a variable linked to the ACL you just created.

Flexconfig variable

3. Create a second Flexconfig object that references the ACL variable and applies it to the desired interface including the "control-plane" keyword.

Flexconfig object

4. Create and deploy a Flexconfig policy to the target FTD device(s).

Flexconfig policy

Jordan1212 · ‎09-08-2023

Hi Marvin,

Can you clarify where the step 2 variable is being used?

Is it possible to just create one object, with one variable referencing the ACL?

Thank you.

Marvin Rhoads · ‎09-08-2023

The variable created in Step 2 is referenced by the object in Step 3.

I've not tried concatenating them - once I get something working using the Velocity language they use for that, I tend to leave it alone if I can.

Jordan1212 · ‎09-08-2023

Good to know. I'll give this a shot. Thank you.

beIN SG Support · ‎10-31-2023

Hi Marvin,
Sorry, this is a beginner-level question.

in step 3 you create a new FlexConfig object, what option do you choose to insert:

Or do I key it in?

For Step 2 I got it via Insert Policy Object --> Extended ACL Object

TIA for your support

Marvin Rhoads · ‎11-01-2023

@beIN SG Support it's a policy object in both cases.

jasond · ‎01-23-2022

Will applying the extended ACL to the Outside interface not override the Access Control Policy defined within the FMC (under Policies>Access Control)?

Rob Ingram · ‎01-24-2022

@jasond no, a control-plane ACL applied inbound on the outside interface will filter traffic "to" the FTD. The ACP controls traffic "through" the FTD.

The control-plane would permit or deny the VPN connection from being established, the ACP would control the communication if the VPN is established.