cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4760
Views
5
Helpful
13
Replies

block ip addresses that try to brute force into VPN

mikeyasg
Level 1
Level 1

Hello,

Starting from the last three weeks these IP Addresses are attempting to VPN into our network. In the ISE LiveLogs we can see that there are multiple attempts from these ip addresses. These IP addresses were added to the prefilter block rule on the FTD firewall. But still the authentication traffic is reaching the ISE server. shouldn't it be blocked the firewall. 

Any ideas why this address is still able to attempt auth, even though it should be getting denied before it even gets that far?

Screenshot 2023-04-27 152407.png 

1 Accepted Solution

Accepted Solutions

@mikeyasg if the pre-filter rule you are referring to is configured on the FTD acting as the Remote Access VPN concentrator, then that will not work. The pre-filter and Access Control rules control traffic "through" the firewall and not "to" the firewall itself, so it cannot block those connections.

Rarely used, but you could use a control-plane ACL to deny the specific IP addresses and permit the rest of the remote access vpn connections. Example: https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

Or deny the traffic on the upstream ISP router.

View solution in original post

13 Replies 13

@mikeyasg if the pre-filter rule you are referring to is configured on the FTD acting as the Remote Access VPN concentrator, then that will not work. The pre-filter and Access Control rules control traffic "through" the firewall and not "to" the firewall itself, so it cannot block those connections.

Rarely used, but you could use a control-plane ACL to deny the specific IP addresses and permit the rest of the remote access vpn connections. Example: https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

Or deny the traffic on the upstream ISP router.

Agree with @Rob Ingram . Filter on an upstream router or terminate RA VPN on a firewall in the DMZ. then the Internet-facing firewall rules would apply to the incoming traffic.

Regarding Duo, generally the Duo configuration (whether SSO, Duo Auth Proxy or Duo Access Gateway) will be still trying to perform the first authentication against your primary authentication source - e.g., AD via ISE. So the attempts will still be logged by ISE (or AD if you bypass ISE for AuthC and only use it for AuthZ).

marce1000
VIP
VIP

 

                   >...These IP addresses were added to the prefilter block rule on the FTD firewall.
  - Depends on what you mean by that  , guess that should not be 'prefilter block' , but just block or deny/drop (e.g.)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

this VPN is RAVPN or L2L VPN ?
if it L2L VPN then the solution is Control-plane 
if it RAVPN then I think Duo can solve the issue <<- this I need to dive deep to check best solution for you but idea is the ASA make first auth and then send to ISE for second auth, here only the user that pass first Auth will send to ISE for more Auth, the ASA will drop other attempt 

Can I use Duo to protect ASA local account logins?

Absolutely! To protect users local to the ASA, with the Duo LDAPS configuration for SSL VPN, continue to use the "LOCAL" AAA Server Group for authentication and add the Duo LDAP AAA server group for secondary authentication.

To protect local ASA users connecting with the Duo RADIUS configuration for SSL VPN clients, use the duo_only_client and radius_server_duo_only configurations in your Authentication Proxy setup, and again continue to use the "LOCAL" AAA Server Group for authentication and add the Duo RADIUS AAA server group for secondary authentication. 

https://duo.com/docs/cisco-faq

mikeyasg
Level 1
Level 1

The vpn is RAVPN and we are thinking to use control plane ACL as @Rob Ingram suggested. if it is applicable for RAVPN or blocking these ip on the upstream router. But blocking the traffic on upstream router would be adding the addresses everytime we face these issue.

@mikeyasg yes control-plane ACL works on RAVPN.

 

Please can you confirm that 

One IP is outside interface IP of FW 

Other is IP from ravpn pool ??

The outside interface is the vpn concentrator and the endpoint that is making the remote connection will get ip from the ravpn pool. But the screenshot that i shared is neither the outside interface nor the ip from the pool rather it is the ip address that belongs to the endpoint initiating the vpn connection.

then if you sure that these IP is not OUT and VPN Pool 
as other mention you can use ACL 
 
Client-internet-ASA-INside-ISE 
apply ACL to INside allow only Mgmt IP to send to ISE plus first IP of VPN Pool (for more sure allow all VPN Pool) 
that it. 
you will ask then how RAVPN connect to ISE , the RAVPN not direct connect to ISE for auth, the FW do this, FW work as proxy to auth RAVPN.

mikeyasg
Level 1
Level 1

Thank You all and @Rob Ingram We were able to use the control plane ACL and it was successful Thank You for your support.

Sorry for my info.

What you permit and what you deny in control-plane acl??

willb1
Level 1
Level 1

Having a router upstream from the FTD, wouldn't it be possible to create a correlation policy and use the Cisco IOS Null Route Module to automate blocking the offending IP's at the upstream router?

I began looking into this option this morning but am not clear as to how to create and associate the remediation step with the correlation policy.

Review Cisco Networking for a $25 gift card