05-21-2021 12:37 PM
I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?
Thank you!
05-21-2021 12:46 PM
No you cannot currently use Geolocation to block traffic "to" the FTD to filter VPN connections. Still an unresolved and open feature request...
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/?rfs=iqvred
Use flexconfig to apply a control plane ACL, or filter on the upstream router or place another FTD in front of the RAVPN FTD.
05-21-2021 12:52 PM
Is there any documentation on what the control plane ACL would need to look like? Are we able to use a network object group along with it?
05-22-2021 02:24 AM
here it will give you high level control plan ACL information : (HTH)
05-22-2021 09:38 PM
You should be able to use a normal extended ACL object (including network object group). Just add the parameter "control-plane" at the end of the access-group command which applies the ACL to the interface.
05-31-2021 03:13 AM
And how do I do this in FMC?
This is ridiculous, how do I block IP address from trying to establish a VPN connection? It is such a basic, fundamnetal request, for god sake.
06-01-2021 01:16 AM
For what it`s worth you could utilize an MFA solution (which you should have anyway) which allows GEO blocks (like DUO MFA).
06-02-2021 10:48 AM - edited 06-02-2021 10:52 AM
I just tested and confirmed this can be done in FMC.
Short steps:
1. Create an extended ACL object that denies the sources you want to block and allows all others.
Extended ACL object
2.Create a Flexconfig object that defines a variable linked to the ACL you just created.
Flexconfig variable
3. Create a second Flexconfig object that references the ACL variable and applies it to the desired interface including the "control-plane" keyword.
Flexconfig object
4. Create and deploy a Flexconfig policy to the target FTD device(s).
Flexconfig policy
01-23-2022 08:01 PM
Will applying the extended ACL to the Outside interface not override the Access Control Policy defined within the FMC (under Policies>Access Control)?
01-24-2022 12:18 AM
@jasond no, a control-plane ACL applied inbound on the outside interface will filter traffic "to" the FTD. The ACP controls traffic "through" the FTD.
The control-plane would permit or deny the VPN connection from being established, the ACP would control the communication if the VPN is established.
01-13-2023 09:29 AM
Sorry to bring something up from the dead, but I was curious why the multiple steps (which I plan to use) in the Marvin version (Thank you, Marvin!!) vs the steps in this link - https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/
More control of the different parts?
Thank you!!
Darren
01-14-2023 01:56 AM
The two are basically the same, just that the one @Marvin Rhoads has shown creates it using GUI and reusable objects, while the one in the link you posted creates this using ASA commands directly into the FlexConfig, but will not be available for re-use in any other configuration.
02-21-2023 05:02 PM
Another thread necro:
Why are there 2 flex-config objects? It looks like the first one creates a variable, but it isn't referenced in the 2nd flexconfig object. I'm wondering if this is a typo, or do you not need the first object.
02-22-2023 06:00 AM
It's a typo. I should have shown the creation of contolplaneacl object in the first step.
02-22-2023 06:17 AM
Thanks!
What sort of object is controlplaneacl? What information does it contain?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: