Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1528
Views
10
Helpful
6
Replies

Need to block outbound VPN connection on FTD managed by FMC on 7.0.2

Go to solution
ABaker94985
Spotlight
Spotlight

‎10-26-2022 07:35 AM

Over the past month, we've found two vendors who are using VPN connections from their systems on our network that we were unaware of. I've been searching for a way to block unauthorized VPN connections - one is running on port 443/tdp and the other on 1194/udp. Can this be done, and if so, where is the configuration to do the blocking at? 

Thank you.

1 person had this problem
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-26-2022 09:12 AM - edited ‎10-26-2022 09:22 AM

In your Access Control Policy add a rule that blocks connections to the destination addresses observed to be in violation of your policy.

You can also add a Layer 7 rule to block the VPN application types (where such exist). URL policies can also used although private (vendor company) VPN servers are likely not included in the sites a URL policy can block. DNS policies can likewise be troublesome as they commonly use connections by IP addresses. Even with a working DNS policy, they can use DNS over HTTPS and you have limited or no visibility into those DNS queries as they are just another outbound tcp/443 connection.

Also have a conversation with the vendors to inform them of the issue.

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ABaker94985

‎10-26-2022 10:08 AM

the traffic is VPN if it end in your FTD, here in your case from my view it is encrypt traffic pass through FTD, 
sure you can use ACP which is better solution if you can not config FTD as proxy. 
the only thing that the encrypt traffic can not hide is IP scr & des use it to filter the traffic. 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎10-26-2022 07:42 AM

access anyconnect VPN, what auth you use for anyconnect vpn ?

0 Helpful

Go to solution
xgateway
Level 1
Level 1

‎10-26-2022 08:43 AM

Hi,

You can find out the peer IP of vendor and block connection from  peer IP to UDP 500 and 4500. 

0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight

‎10-26-2022 09:07 AM

My apologies, but my description was wholly inadequate. These are from systems that are managed by vendors and installed on our internal network and have installed OpenSSL installed. OpenSSL is making a connection on 1194/udp back to their network. We can block this port easy enough, but there are many VPN services that users can be using we're not aware of. We need to at least start auditing these connections and then block as needed. We have another vendor firewall where we can configure a DNS policy to block public VPN services, and there is also the ability to block by VPN types, such as AnyConnect. I can't find anything similar within the FMC.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-26-2022 09:12 AM - edited ‎10-26-2022 09:22 AM

In your Access Control Policy add a rule that blocks connections to the destination addresses observed to be in violation of your policy.

You can also add a Layer 7 rule to block the VPN application types (where such exist). URL policies can also used although private (vendor company) VPN servers are likely not included in the sites a URL policy can block. DNS policies can likewise be troublesome as they commonly use connections by IP addresses. Even with a working DNS policy, they can use DNS over HTTPS and you have limited or no visibility into those DNS queries as they are just another outbound tcp/443 connection.

Also have a conversation with the vendors to inform them of the issue.

0 Helpful

Go to solution
ABaker94985
Spotlight
Spotlight

‎10-26-2022 09:41 AM

Acknowledged that the ACP can be used, and I certainly understand that DNS policies can be bypassed through using IPs and DNS over HTTPS. We're in the process of enforcing all systems to use Umbrella, but that won't catch some of what we're discussing here. This is for a fairly large organization with many, many vendors, and what we've discovered up to now has been accidental more than anything else. I know for a fact that we don't have current POCs for some of the vendors to boot, but that's an internal issue.

Thanks for the input, and it appears we have a bit of a chore ahead of us on this.

Go to solution
MHM Cisco World
VIP
VIP
In response to ABaker94985

‎10-26-2022 10:08 AM

the traffic is VPN if it end in your FTD, here in your case from my view it is encrypt traffic pass through FTD, 
sure you can use ACP which is better solution if you can not config FTD as proxy. 
the only thing that the encrypt traffic can not hide is IP scr & des use it to filter the traffic. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card