12-18-2018 05:10 AM - edited 03-12-2019 04:17 AM
Hello, everyone. We have implemented Anyconnect RA VPN on FTD device. However now i want to restrict from which source global IP Addresses i can connect to. I now in ASA it can be done by control-plane ACL but in FTD i do not see any place to configure it.
12-18-2018 12:36 PM
Hi,
Try to create a deny rule in pre-filter policy with the source IP you would like to restrict.
HTH
Abheesh
12-19-2018 01:02 AM
No, It didnot work as i expected. Because ACP and Prefilter Policies are for passthrough traffic. I needed ACL for control plane that i implemented using flexconfig. I denied only my phones global IP into FTD`s vpn webpage and permitted any any. But this way noone could open that webpage
12-20-2018 01:33 AM
As far as I know, control plane type ACL is not currently offered as a feature on FTD.
12-20-2018 09:28 PM
I see. I have also seen that access-group command is not supported by Flex so that means i would not be able to apply access-list to-the-box. It is disappointing. I think i have to change my NGFW to another vendor.
12-21-2018 12:07 AM
Even on ASAs, that's a very uncommonly used feature. I have worked on hundreds of customer ASAs and never seen it used.
What's your use case (business requirement) making it critical for you?
01-16-2019 11:54 PM
The director of security department requires it from me so that only IP addresses from my country can connect to out RA VPN. Actually i have opened TAC case. We have worked together with an engineer, deployed control-plane ACL by Flex but with no result. This issue is already a bug case and waiting response from devolopers whether it is bug or control-plane acl is not yet supported on FTD
01-17-2019 04:09 AM - edited 01-17-2019 04:10 AM
Hi Orkhan,
Please share the details once you get update from TAC. As i am also in a very similar situation now that one of my customer required the exact thing. They wan to allow only RA-VPN to be accessed from some specific country IP's.
Thanks,
Abheesh
01-17-2019 11:49 PM - edited 01-17-2019 11:50 PM
Hello Abheesh,
You can check the case status via this link: CSCvn78593. As TAC advised me not to wait a quick action for this problem. Whether this is bug or not supported in FTD, it may take really long time to be added. My advise to you put another ASA for only RA VPN behind FTD devices and cut traffic with basic ACL or Prefilter. Thanks in advance!
01-18-2019 02:21 AM
01-18-2019 03:29 AM
If you put your RA-dedicated ASA inside on the FTD device then you can use Geoblocking in your ACP rule.
11-03-2022 11:51 AM
So I walk to the manager's office and asked him for 2 pairs of FTD. First FTD pair to Geo-Block and second FTD for RA-VPN? You know that is a waste of money and power and also more effort to maintain and troubleshoot when there is an issue.
05-17-2019 07:23 AM
It seems to be fixed now... since 6.2.3.12 and later. And for the 6.3 since 6.3.0.3.
I was also waiting for this.
05-29-2020 08:48 AM - edited 05-29-2020 09:09 AM
Is it fixed in version 6.6. ?
05-29-2020 11:14 AM
Yes if it was already fixed in later releases of 6.2 and 6.3 then I suppose it will also work with 6.6 with flexconfig.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide