Showing results for 
Search instead for 
Did you mean: 

How to protect VPN Ports in FTD

Level 1
Level 1


I have an 2130 FTD, with AnyConnect configured.


The problem now is that, I can't protect the vpn ports with access control. I have a rule, but never hit any rule, and never show the hit of that rule


Phase: 3
Result: ALLOW
Implicit Rule
Additional Information:


I have read . This:

But. I don't know how to apply this to work?


Anyone, know the procedure to protect the vpn connections through FMC ?


The software version is


5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Access list entries in your Access control Policy are for traffic THROUGH the device - not TO the device.

A special type of ACL called "control plane ACL" is for traffic TO the device. Those can only be created via Flexconfig as the GUI doesn't support them.

I haven't tested it myself but I don't believe a control-plane ACL allows you to add in Geolocation. The Geolocation option doesn't really translate into a LINA ACL which is what you'd have to configure in Flexconfig. But if you only want to block/allow by IP address you should be able to do that.

As noted in the bugID mentioned in the discussion you cited, control plane ACLs on FTD aren't working correctly until 9.12.3 or 9.13.1 (equivalent to FTD 6.4 or 6.5).

FYI an ACL entry with Gelocation looks like this one, denying traffic from outside to inside where source Geo is Antarctica:

# Start of AC rule.
268444672 deny 2 any  any 1 any  any any any (srcgeo 10, 260, 74)
# End rule 268444672

(taken from ngfw.rules file on an FTD appliance)

Excelent informatio, but how can i write a control-plane ACL in fmc. Is like this rule?
268444672 deny 2 any any 1 any any any any (srcgeo 10, 260, 74)
what mean that rule what belongs every any.

As I said earlier, "I don't believe a control-plane ACL allows you to add in Geolocation"

The syntax I shared is how the FTD GUI-based ACLs appear in the object store seen from the cli. All field (zones, ports etc.) are represented. If they are not selected in the GUI, they will show up as "any" in the object store.

Level 1
Level 1

Does Security Intelligence operate on traffic 'to the device'?

Ie if I have a src Ip address trying to guess username/password on the Anyconnect ip, can I expect putting the src ip in the blacklist to stop it?


No it does not.

Review Cisco Networking for a $25 gift card