Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2594
Views
5
Helpful
5
Replies

How to protect VPN Ports in FTD

GerCorUY
Level 1
Level 1

‎04-22-2020 08:24 AM

Hi,

I have an 2130 FTD, with AnyConnect configured.

 

The problem now is that, I can't protect the vpn ports with access control. I have a rule, but never hit any rule, and never show the hit of that rule

 

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

 

I have read . This: https://community.cisco.com/t5/network-security/possible-to-use-geo-location-to-block-access-to-remote-access/td-p/4041842

But. I don't know how to apply this to work?

 

Anyone, know the procedure to protect the vpn connections through FMC ?

 

The software version is 6.4.0.4

Thanks

1 person had this problem
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-22-2020 08:59 AM

Access list entries in your Access control Policy are for traffic THROUGH the device - not TO the device.

A special type of ACL called "control plane ACL" is for traffic TO the device. Those can only be created via Flexconfig as the GUI doesn't support them.

I haven't tested it myself but I don't believe a control-plane ACL allows you to add in Geolocation. The Geolocation option doesn't really translate into a LINA ACL which is what you'd have to configure in Flexconfig. But if you only want to block/allow by IP address you should be able to do that.

As noted in the bugID mentioned in the discussion you cited, control plane ACLs on FTD aren't working correctly until 9.12.3 or 9.13.1 (equivalent to FTD 6.4 or 6.5).

FYI an ACL entry with Gelocation looks like this one, denying traffic from outside to inside where source Geo is Antarctica:

# Start of AC rule.
268444672 deny 2 any  any 1 any  any any any (srcgeo 10, 260, 74)
# End rule 268444672

(taken from ngfw.rules file on an FTD appliance)

GerCorUY
Level 1
Level 1
In response to Marvin Rhoads

‎04-22-2020 09:13 AM

Excelent informatio, but how can i write a control-plane ACL in fmc. Is like this rule?
268444672 deny 2 any any 1 any any any any (srcgeo 10, 260, 74)
what mean that rule what belongs every any.
Thnks
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to GerCorUY

‎04-22-2020 07:40 PM

As I said earlier, "I don't believe a control-plane ACL allows you to add in Geolocation"

The syntax I shared is how the FTD GUI-based ACLs appear in the object store seen from the cli. All field (zones, ports etc.) are represented. If they are not selected in the GUI, they will show up as "any" in the object store.

0 Helpful

evan.chadwick1
Level 1
Level 1

‎05-20-2021 06:01 PM

Does Security Intelligence operate on traffic 'to the device'?

Ie if I have a src Ip address trying to guess username/password on the Anyconnect ip, can I expect putting the src ip in the blacklist to stop it?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to evan.chadwick1

‎05-21-2021 08:37 AM

@evan.chadwick1 

No it does not.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card