cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18982
Views
56
Helpful
45
Replies

Block access to Remote Access VPN by IP Address

PerryGuy621
Level 1
Level 1

I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?

 

Thank you!

45 Replies 45

How does the control plane acl affect a web server hosted on site vs a vpn connection? For this lets say that both connections happen on the same FTD. If I can place an control plane ACL to block IP 1.2.3.4 Would that just block the 1.2.3.4 IP for the VPN connection? OR would I also get blocked if I am coming from IP 1.2.3.4 trying to access a website inside the same network?

control plane ACLs will affect traffic that is destined to the ASA/FTD itself.  regular ACLs will affect traffic passing through the ASA/FTD.

--
Please remember to select a correct answer and rate helpful posts

darrendanko12
Level 1
Level 1

Sorry to bring something up from the dead, but I was curious why the multiple steps (which I plan to use) in the Marvin version (Thank you, Marvin!!) vs the steps in this link - https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/
More control of the different parts?
Thank you!!

Darren

The two are basically the same, just that the one @Marvin Rhoads has shown creates it using GUI and reusable objects, while the one in the link you posted creates this using ASA commands directly into the FlexConfig, but will not be available for re-use in any other configuration.

--
Please remember to select a correct answer and rate helpful posts

Another thread necro:

Why are there 2 flex-config objects? It looks like the first one creates a variable, but it isn't referenced in the 2nd flexconfig object. I'm wondering if this is a typo, or do you not need the first object. 

It's a typo. I should have shown the creation of contolplaneacl object in the first step.

rtrefz
Level 1
Level 1

Thanks!

What sort of object is controlplaneacl? What information does it contain?

It's an extended ACL. Looks the same as the object ACL-Control_Plane-Test that I showed, but with a name that was more acceptable for parsing by Flexconfig.

Basically you block the IPs/objects you want to prevent from RA VPN access and allow everything else.

thegreatone
Level 1
Level 1

Is this still the only way to accomplish this? Can we not do geo-ip based restrictions for control plane traffic even now?

Not yet - but it is in the roadmap for an upcoming release.

Do you know if this will this work with an ASA SFR?

@ChadH63728 control plane ACL would work. It has nothing to do with whether or not there is a Firepower (SFR) service module though. The SFR module's processing happens after packets have already been handled by the ingress interface and any interface ACL(s).

ACL with the flexconfig from the SFR?

@ChadH63728 No. The control-plane ACL is created an applied on the parent ASA, not in the Firepower service module.

scottyd
Level 1
Level 1

Unbelievable. A basic function of a firewall. No wonder my colleges are switching to Checkpoint.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: