Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8138
Views
34
Helpful
18
Replies

Block access to Remote Access VPN by IP Address

PerryGuy621
Beginner
Beginner

‎05-21-2021 12:37 PM

I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?

 

Thank you!

0 Helpful
18 Replies 18

Rob Ingram
VIP Master VIP Master
VIP Master

‎05-21-2021 12:46 PM

@PerryGuy621 

No you cannot currently use Geolocation to block traffic "to" the FTD to filter VPN connections. Still an unresolved and open feature request...

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/?rfs=iqvred

 

Use flexconfig to apply a control plane ACL, or filter on the upstream router or place another FTD in front of the RAVPN FTD.

0 Helpful

PerryGuy621
Beginner
Beginner
In response to Rob Ingram

‎05-21-2021 12:52 PM

Is there any documentation on what the control plane ACL would need to look like? Are we able to use a network object group along with it?

0 Helpful

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to PerryGuy621

‎05-22-2021 02:24 AM

here it will give you high level control plan ACL information : (HTH)

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to PerryGuy621

‎05-22-2021 09:38 PM

You should be able to use a normal extended ACL object (including network object group). Just add the parameter "control-plane" at the end of the access-group command which applies the ACL to the interface.

 

0 Helpful

GSAInfra
Beginner
Beginner
In response to Marvin Rhoads

‎05-31-2021 03:13 AM

And how do I do this in FMC?

 

This is ridiculous, how do I block IP address from trying to establish a VPN connection? It is such a basic, fundamnetal request, for god sake.

0 Helpful

rschlayer
Enthusiast
Enthusiast
In response to GSAInfra

‎06-01-2021 01:16 AM

For what it`s worth you could utilize an MFA solution (which you should have anyway) which allows GEO blocks (like DUO MFA).

0 Helpful

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to GSAInfra

‎06-02-2021 10:48 AM - edited ‎06-02-2021 10:52 AM

I just tested and confirmed this can be done in FMC.

https://community.cisco.com/t5/network-security/ftd-remote-access-vpn-restriction/m-p/4411914#M1081231

Short steps:

1. Create an extended ACL object that denies the sources you want to block and allows all others.

Extended ACL objectExtended ACL object

2.Create a Flexconfig object that defines a variable linked to the ACL you just created.

Flexconfig variableFlexconfig variable

3. Create a second Flexconfig object that references the ACL variable and applies it to the desired interface including the "control-plane" keyword.

Flexconfig objectFlexconfig object

4. Create and deploy a Flexconfig policy to the target FTD device(s).

Flexconfig policyFlexconfig policy

 

jasond
Beginner
Beginner

‎01-23-2022 08:01 PM

Will applying the extended ACL to the Outside interface not override the Access Control Policy defined within the FMC (under Policies>Access Control)?

0 Helpful

Rob Ingram
VIP Master VIP Master
VIP Master
In response to jasond

‎01-24-2022 12:18 AM

@jasond no, a control-plane ACL applied inbound on the outside interface will filter traffic "to" the FTD. The ACP controls traffic "through" the FTD.

 

The control-plane would permit or deny the VPN connection from being established, the ACP would control the communication if the VPN is established.

 

darrendanko12
Beginner
Beginner

‎01-13-2023 09:29 AM

Sorry to bring something up from the dead, but I was curious why the multiple steps (which I plan to use) in the Marvin version (Thank you, Marvin!!) vs the steps in this link - https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/
More control of the different parts?
Thank you!!

Darren

0 Helpful

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor
In response to darrendanko12

‎01-14-2023 01:56 AM

The two are basically the same, just that the one @Marvin Rhoads has shown creates it using GUI and reusable objects, while the one in the link you posted creates this using ASA commands directly into the FlexConfig, but will not be available for re-use in any other configuration.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

rtrefz
Beginner
Beginner
In response to Marius Gunnerud

‎02-21-2023 05:02 PM

Another thread necro:

Why are there 2 flex-config objects? It looks like the first one creates a variable, but it isn't referenced in the 2nd flexconfig object. I'm wondering if this is a typo, or do you not need the first object. 

0 Helpful

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to rtrefz

‎02-22-2023 06:00 AM

It's a typo. I should have shown the creation of contolplaneacl object in the first step.

0 Helpful

rtrefz
Beginner
Beginner

‎02-22-2023 06:17 AM

Thanks!

What sort of object is controlplaneacl? What information does it contain?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents