Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
2
Helpful
8
Replies

Control-Plane ACL FP1140

oetti
Level 1
Level 1

‎10-21-2024 05:44 AM

Hi,

is there any supported way to add more than 50 entries to the Control-Plane-ACL on a FP1140 Device? It's quite anoying to add every entry one by one in the FMC and it's limited to 50 entries.

Thanks

 

0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎10-21-2024 06:15 AM

May be API options need to explore, what is the code running, 7.X have more features.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

oetti
Level 1
Level 1
In response to balaji.bandi

‎10-21-2024 07:14 AM

FMC is 7.2.4, FP1140 is running 6.6.7

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-21-2024 07:26 AM

What are you trying to achieve with the control plane ACL?

0 Helpful

oetti
Level 1
Level 1
In response to Aref Alsouqi

‎10-22-2024 12:57 AM

I want to block IP-Ranges trying to brute force our VPN Access. It's working as expected for the 50 entries but there are still hundreds of ranges left, which should be blocked on our site. In the meantime i've tried "shun" to block the IPs, which also works, but only for single IPs, not for subnets. This all is really disappointing, having an enterprise product and not be able to create a simple blocklist, copy and paste this to cli and block them all.

Rob Ingram
VIP
VIP
In response to oetti

‎10-22-2024 01:17 AM

@oetti if the control plane ACL is limited to 50 ACE, then consider configuring threat detection which automatically shuns the host that exceeds the configured thresholds, to prevent further attempts.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

Note, this is not supported on all versions at present.

0 Helpful

oetti
Level 1
Level 1
In response to Rob Ingram

‎10-22-2024 01:25 AM

Sounds good, i'll try to get this up and running next. IMO the 50 entries restrictions comes from the FMC, not the ACL itselfs. Not sure, just guessing.

0 Helpful

Aref Alsouqi
VIP
VIP
In response to oetti

‎10-22-2024 02:34 AM

How about configuring the RAVPN with certificates authentication or MFA? using certificates will avoid the username and password prompt, and using MFA will ensure that only authorized users will be connected.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-22-2024 05:30 AM - edited ‎10-22-2024 05:30 AM

FYI version 7.7 will be released in early 2025 and will include the ability to block access using Geolocation in a service policy. Manually excluding IPs one-by-one in an ACL will be a never-ending task since the perpetrators are not using their own machines but rather whatever botnet hosts they have rented for the day.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card