cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12909
Views
56
Helpful
29
Replies

FTD Remote Access VPN Restriction

Hello, everyone. We have implemented Anyconnect RA VPN on FTD device. However now i want to restrict from which source global IP Addresses i can connect to. I now in ASA it can be done by control-plane ACL but in FTD i do not see any place to configure it. 

29 Replies 29

Abheesh Kumar
VIP Alumni
VIP Alumni

Hi,

Try to create a deny rule in pre-filter policy with the source IP you would like to restrict.

 

HTH

Abheesh

No, It didnot work as i expected. Because ACP and Prefilter Policies are for passthrough traffic. I needed ACL for control plane that i implemented using flexconfig. I denied only my phones global IP into FTD`s vpn webpage and permitted any any. But this way noone could open that webpage

As far as I know, control plane type ACL is not currently offered as a feature on FTD.

I see. I have also seen that access-group command is not supported by Flex so that means i would not be able to apply access-list to-the-box. It is disappointing. I think i have to change my NGFW to another vendor.

Even on ASAs, that's a very uncommonly used feature. I have worked on hundreds of customer ASAs and never seen it used.

 

What's your use case (business requirement) making it critical for you?

The director of security department requires it from me so that only IP addresses from my country can connect to out RA VPN. Actually i have opened TAC case. We have worked together with an engineer, deployed control-plane ACL by Flex but with no result. This issue is already a bug case and waiting response from devolopers whether it is bug or control-plane acl is not yet supported on FTD

Hi Orkhan,
Please share the details once you get update from TAC. As i am also in a very similar situation now that one of my customer required the exact thing. They wan to allow only RA-VPN to be accessed from some specific country IP's.

Thanks,
Abheesh

Hello Abheesh, 

You can check the case status via this link: CSCvn78593. As TAC advised me not to wait a quick action for this problem. Whether this is bug or not supported in FTD, it may take really long time to be added. My advise to you put another ASA for only RA VPN behind FTD devices and cut traffic with basic ACL or Prefilter.  Thanks in advance!

Hi Orkhan,
Thank you for sharing the details.

If you put your RA-dedicated ASA inside on the FTD device then you can use Geoblocking in your ACP rule.

So I walk to the manager's office and asked him for 2 pairs of FTD. First FTD pair to Geo-Block and second FTD for RA-VPN? You know that is a waste of money and power and also more effort to maintain and troubleshoot when there is an issue. 

 

It seems to be fixed now... since 6.2.3.12 and later. And for the 6.3 since 6.3.0.3.

 

I was also waiting for this.

 

 

 

 

Is it fixed in version 6.6. ?

Yes if it was already fixed in later releases of 6.2 and 6.3 then I suppose it will also work with 6.6 with flexconfig.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: