Re: Block access to Remote Access VPN by IP Address - Page 2

PerryGuy621 · ‎05-21-2021

I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?

Thank you!

JoshfromPHX · ‎09-01-2023

How does the control plane acl affect a web server hosted on site vs a vpn connection? For this lets say that both connections happen on the same FTD. If I can place an control plane ACL to block IP 1.2.3.4 Would that just block the 1.2.3.4 IP for the VPN connection? OR would I also get blocked if I am coming from IP 1.2.3.4 trying to access a website inside the same network?

Marius Gunnerud · ‎09-01-2023

control plane ACLs will affect traffic that is destined to the ASA/FTD itself. regular ACLs will affect traffic passing through the ASA/FTD.

--
Please remember to select a correct answer and rate helpful posts

darrendanko12 · ‎01-13-2023

Sorry to bring something up from the dead, but I was curious why the multiple steps (which I plan to use) in the Marvin version (Thank you, Marvin!!) vs the steps in this link - https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/
More control of the different parts?
Thank you!!

Darren

Marius Gunnerud · ‎01-14-2023

The two are basically the same, just that the one @Marvin Rhoads has shown creates it using GUI and reusable objects, while the one in the link you posted creates this using ASA commands directly into the FlexConfig, but will not be available for re-use in any other configuration.

--
Please remember to select a correct answer and rate helpful posts

rtrefz · ‎02-21-2023

Another thread necro:

Why are there 2 flex-config objects? It looks like the first one creates a variable, but it isn't referenced in the 2nd flexconfig object. I'm wondering if this is a typo, or do you not need the first object.

Marvin Rhoads · ‎02-22-2023

It's a typo. I should have shown the creation of contolplaneacl object in the first step.

rtrefz · ‎02-22-2023

Thanks!

What sort of object is controlplaneacl? What information does it contain?

Marvin Rhoads · ‎02-22-2023

It's an extended ACL. Looks the same as the object ACL-Control_Plane-Test that I showed, but with a name that was more acceptable for parsing by Flexconfig.

Basically you block the IPs/objects you want to prevent from RA VPN access and allow everything else.

AlwaysLearning77 · ‎09-18-2024

Thank you for showing us how to do this with FlexConfig! Really appreciate it!
I do have a question though.

When you're calling the Variable in Step 3 (3. Create a second Flexconfig) you also instruct to insert that same ACL again, creating a new variable.

Does that not overwrite the variable created in step 2?
Or do we have to choose a different name for the variable in step 3 and then still use the variable created in step 2 when we're writing the access-group command?

Thank you for your help.

thegreatone · ‎03-10-2023

Is this still the only way to accomplish this? Can we not do geo-ip based restrictions for control plane traffic even now?

Marvin Rhoads · ‎03-10-2023

Not yet - but it is in the roadmap for an upcoming release.

ChadH63728 · ‎06-10-2023

Do you know if this will this work with an ASA SFR?

Marvin Rhoads · ‎06-11-2023

@ChadH63728 control plane ACL would work. It has nothing to do with whether or not there is a Firepower (SFR) service module though. The SFR module's processing happens after packets have already been handled by the ingress interface and any interface ACL(s).

ChadH63728 · ‎06-11-2023

ACL with the flexconfig from the SFR?

Marvin Rhoads · ‎06-12-2023

@ChadH63728 No. The control-plane ACL is created an applied on the parent ASA, not in the Firepower service module.