Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5331
Views
5
Helpful
7
Replies

How to disable remote access traffic?

majid3612
Level 1
Level 1

‎10-23-2020 10:30 AM

I am going to disable remote access traffic across my network except my whitelist. I am using Cisco Firepower as well as Cisco ASA in my network perimeter. How and where should I put my rule/policy to enable this capability?

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎10-23-2020 10:55 AM

Can you elaborate more with an example and post what configuration you have, and give some external IP you like to block and allow.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

majid3612
Level 1
Level 1
In response to balaji.bandi

‎10-23-2020 02:05 PM

For example, I want to permit remote traffic by RDP and Teamviewer but not other tools (Anydesk, VNC, etc.). Also, any backdoor which establish a remote connection between internal and external networks.

As mentioned, we have deployed ASA, Firepower, Umbrella and Meraki.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to majid3612

‎10-24-2020 09:12 PM

You should use the policy in the Firepower service module to block the applications via an application level policy. Two rules will be needed:

1. First allow RDP and TeamViewer

2. Second block all other applications in the "Remote Desktop Control" category.

It should look something like this:

Example PolicyExample Policy

majid3612
Level 1
Level 1
In response to Marvin Rhoads

‎10-26-2020 09:04 AM - edited ‎10-26-2020 09:20 AM

Thanks Marvin for your great solution. I did so but it does not take effect! Users can still use Anydesk, for example. I saved the rules as well.

firepower.png

 

Preview file
187 KB
0 Helpful

Aref Alsouqi
VIP
VIP
In response to majid3612

‎10-26-2020 10:58 AM

Also, please note that the block might not happen straightaway, the Firepower might allow some packets to pass through before it can learn the application and apply the policy accordingly.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-26-2020 10:30 AM

It could be that those apps are using SSL and if FTD isn't decrypting it might not recognize the inner contents of the encrypted session as the app. In that case you might need to fall back on something like URL filter (if you have that licensed) or DNS security (e.g. via Umbrella) to prevent the clients from ever even resolving the address of the service to connect.

0 Helpful

majid3612
Level 1
Level 1
In response to Marvin Rhoads

‎10-27-2020 09:59 AM

Could you please be more specific about how to do so through URL filtering as well as DNS Security (Umbrella)? I looked at the both but not sure if that's exactly what I want. For example, you can block specific apps or URLs whereas I want to block a category of apps (remote access tools) which is not in their list.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card