Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2351
Views
25
Helpful
10
Replies

Block IP

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-18-2021 01:25 AM - edited ‎05-18-2021 01:28 AM

Hello, 

 

I have a pair of 2120 managed by FMC. 

I would like to block an IP that tries to connect to my vpn. 

I have fastpath policy and access policy 

I have put it in Security intelligence and it still passes to my authentication server, where it is blocked. 

 

Where is the best point to cut it?

 

Thanks and regards, 

Konstantinos

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to kostasthedelegate

‎05-18-2021 06:28 AM

@kostasthedelegate 

I've never tried on FTD using Flexconfig (I wasn't sure it worked) but certainly when configuring using ASA, you append the word "control-plane" E.g.

 

access-group OUTSIDE_CP in interface OUTSIDE control-plane

 

View solution in original post

10 Replies 10

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-18-2021 01:31 AM

Assuming the VPN is hosted on the Firepower 2120s, the prefilter and access control policies you can setup in the GUI all apply to traffic THROUGH the device - not traffic TO the device.

However, you should be able to create a control plane ACL via Flexconfig to restrict a single IP.

https://community.cisco.com/t5/network-security/ftd-remote-access-vpn-restriction/td-p/3765784

Go to solution
kostasthedelegate
Level 4
Level 4
In response to Marvin Rhoads

‎05-18-2021 01:49 AM

Hello Marvin, 

 

Thank you for the answer 

So the ACL on the Flexconfig where should be applied?

Are there any instructions?

 

Regads, 

Konstantinos

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎05-18-2021 01:32 AM

@kostasthedelegate 

Not possible on FTD AFAIK, the ACP and Pre-Filter rules are for traffic "through" the FTD, not "to" the FTD itself (VPN). You alternative is to place an ACL on the upstream router and block the IP address(es) and permit all else.

 

HTH

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-18-2021 06:01 AM

Hello everyone, 

 

I created the flexconfig object below

Capture2.PNG

 

I see after deployment in the cli that the commands are created

access-list VPN-Blacklist extended deny object-group ProxySG_ExtendedACL_154618915929 object-group x-Blacklist any
access-list VPN-Blacklist extended permit object-group ProxySG_ExtendedACL_154618915933 any any
access-group VPN-Blacklist in interface xxxxx
access-group VPN-Blacklist in interface yyyyy

But still the IP is not blocked

 

Any ideas?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to kostasthedelegate

‎05-18-2021 06:28 AM

@kostasthedelegate 

I've never tried on FTD using Flexconfig (I wasn't sure it worked) but certainly when configuring using ASA, you append the word "control-plane" E.g.

 

access-group OUTSIDE_CP in interface OUTSIDE control-plane

 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-18-2021 06:31 AM

That's right @Rob Ingram - we need to specify the "control-plane" parameter in the access-group command.

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-18-2021 06:49 AM

Hello 

 

I tried with the control-plane and still I have access using a specific IP. 

 

Regards, 

Konstantinos

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-18-2021 06:54 AM

Did you clear the connections for that IP after applying the ACL? Existing connections won't be affected by an ACL update.

If you have cleared the connections and are still seeing the address able to access the VPN, it might be time to ask the TAC to look at in in real time for you.

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-18-2021 06:57 AM

No I did not!!
I will try it and update.

Thank you for your help

0 Helpful

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-19-2021 01:32 AM

I issued 

clear conn address x.x.x.x

but it did not change sth. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card