cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8138
Views
34
Helpful
18
Replies

Block access to Remote Access VPN by IP Address

PerryGuy621
Beginner
Beginner

I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?

 

Thank you!

18 Replies 18

Rob Ingram
VIP Master VIP Master
VIP Master

@PerryGuy621 

No you cannot currently use Geolocation to block traffic "to" the FTD to filter VPN connections. Still an unresolved and open feature request...

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/?rfs=iqvred

 

Use flexconfig to apply a control plane ACL, or filter on the upstream router or place another FTD in front of the RAVPN FTD.

Is there any documentation on what the control plane ACL would need to look like? Are we able to use a network object group along with it?

here it will give you high level control plan ACL information : (HTH)

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

You should be able to use a normal extended ACL object (including network object group). Just add the parameter "control-plane" at the end of the access-group command which applies the ACL to the interface.

 

And how do I do this in FMC?

 

This is ridiculous, how do I block IP address from trying to establish a VPN connection? It is such a basic, fundamnetal request, for god sake.

For what it`s worth you could utilize an MFA solution (which you should have anyway) which allows GEO blocks (like DUO MFA).

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I just tested and confirmed this can be done in FMC.

https://community.cisco.com/t5/network-security/ftd-remote-access-vpn-restriction/m-p/4411914#M1081231

Short steps:

1. Create an extended ACL object that denies the sources you want to block and allows all others.

Extended ACL objectExtended ACL object

2.Create a Flexconfig object that defines a variable linked to the ACL you just created.

Flexconfig variableFlexconfig variable

3. Create a second Flexconfig object that references the ACL variable and applies it to the desired interface including the "control-plane" keyword.

Flexconfig objectFlexconfig object

4. Create and deploy a Flexconfig policy to the target FTD device(s).

Flexconfig policyFlexconfig policy

 

jasond
Beginner
Beginner

Will applying the extended ACL to the Outside interface not override the Access Control Policy defined within the FMC (under Policies>Access Control)?

@jasond no, a control-plane ACL applied inbound on the outside interface will filter traffic "to" the FTD. The ACP controls traffic "through" the FTD.

 

The control-plane would permit or deny the VPN connection from being established, the ACP would control the communication if the VPN is established.

 

darrendanko12
Beginner
Beginner

Sorry to bring something up from the dead, but I was curious why the multiple steps (which I plan to use) in the Marvin version (Thank you, Marvin!!) vs the steps in this link - https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/
More control of the different parts?
Thank you!!

Darren

The two are basically the same, just that the one @Marvin Rhoads has shown creates it using GUI and reusable objects, while the one in the link you posted creates this using ASA commands directly into the FlexConfig, but will not be available for re-use in any other configuration.

--
Please remember to select a correct answer and rate helpful posts

Another thread necro:

Why are there 2 flex-config objects? It looks like the first one creates a variable, but it isn't referenced in the 2nd flexconfig object. I'm wondering if this is a typo, or do you not need the first object. 

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

It's a typo. I should have shown the creation of contolplaneacl object in the first step.

rtrefz
Beginner
Beginner

Thanks!

What sort of object is controlplaneacl? What information does it contain?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers