Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26260
Views
65
Helpful
48
Replies

Block access to Remote Access VPN by IP Address

PerryGuy621
Level 1
Level 1

‎05-21-2021 12:37 PM

I am running a couple of Cisco FTD 2110 managed with FMC and am looking for the best way to block access to our remote access VPN by IP. From doing some reading it looks like the best (and only?) way to do this is via a control plane ACL deployed via Flex Config. I saw another post that showed how this could be accomplished via geo but I am unsure on that syntax. I'm hoping someone could provide what syntax is used or point me towards some documentation for this?

 

Thank you!

5 people had this problem
48 Replies 48

Lee Dress
Level 1
Level 1

‎02-23-2024 07:07 AM

I 100% agree with this assessment.   And I do have to play whack a mole.  every day I'm looking at VPN attempts and failues, doing an IP Lookup and then adding an IP (or large subnets) to my ip blacklist.  The fact that there is so much security intelligence (like the Cisco-Intelligence-feed that is updated regularly)  that can be applied to the passing traffic. We should be able to leverage a database or feed at the control plane level.  I've actually considered installing an edge router that has that type of functionality, but then why do I need a NGFW?? 

tvotna
Spotlight
Spotlight
In response to Lee Dress

‎02-25-2024 03:25 AM

Blocking to-the-box connections by geo IP (CSCvs65322) is not enough. FTD and ASA should also support:

- "set connection per-client-max" and "set connection per-client-embryonic-max" in MPF for to-the-box connections
- connection rate-limiting in MPF for both to-the-box and through-the-box connections
- connection rate-limiting for to-the-box connections in ASA resource manager in multiple mode ("limit-resource" system CLI)
- user-configurable TLS/JA3 filtering for to-the-box TCP/443 traffic
- pre-defined TLS/JA3 filters for AnyConnect on all supported operating systems
- multicore support for VPN control-plane on high-end platforms
- adaptive call admission control for IKEv2 and TLS which takes box load into consideration rather than just the number of tunnels under negotiation (TLS currently doesn't have any call admission control)
- much more efficient IKEv2 control plane which doesn't fail under stress
- diagnostic capabilities

Until then ASA/FTD configured as RA VPN hub should always be protected by some other specialized perimeter device capable of session rate-limiting and TLS/JA3 filtering.

 

0 Helpful

Lee Dress
Level 1
Level 1

‎03-23-2024 12:46 PM

So here's what I have done to mitigate the whack a mole issue. 

I installed 2 OPNSense firewalls as my edge routers to the internet. They have next gen ability to use GEO IP and IP Lists like ET and FIREHOL. Then I setup rules to block traffic based on those lists. I've also created a report in Firepower to give me AAA authentication errors so I can tell how many hits I'm taking and if those IP addresses aren't on a list, then i can add them manually at the edge. 

 

thegreatone
Level 1
Level 1
In response to Lee Dress

‎06-19-2024 06:02 PM

Can you do deploy an OPNSense firewall in front of the FTD in transparent/non-routed mode?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card