ā05-20-2024 02:22 PM
Hi All,
In our current environment S2S vpn is running on 7.2.5 with two interface -outside and inside .Now we want to enable RAVPN in same ftd instance and want use same public ip for RAVPN and S2S vpn.
Need your expert opinion -Is there any problem to use same FTD for the both vpn ?
Will use ISE as AAA with saml base authentication and posture with ISE for certificate and windows defender
Any suggestion much appreciated
Thanks
Deb
ā05-20-2024 02:33 PM
Need your expert opinion -Is there any problem to use same FTD for the both vpn ?
There is no issue in using the same FTD for both RA VPN and S2S VPN. In fact it is a very common scenario. However, if you have a server using HTTPS and traffic from internet is being NATed to it using the outside interface IP, you will need to configure a different port for RA VPN.
ā05-20-2024 09:08 PM
There is no issue at all
Ipsec use udp port 500/4500
Ssl use tcp 443
And that make ftd simply can differentiate between two vpn.
MHM
ā06-16-2024 01:24 AM
Hi all,
Thanks for all your advice ,
However we are exploring now to use RA VPN instance which will put behind another firewall
Flow -External user -Permitter firewall FTD -RA VPN firewall FTD -
AAA-Cisco ISE -Mostly Authentication Certificate + OTP
Now our main concern is how to protect the Brute force attack ,We want to stop brute force attack from Perimeter firewall
We have IPS Policy in Permitter firewall -
My queries IPS Policy enough to stop brute force attack ? or We need something more Like we need to enable WAF layer before entering packet to RA VPN ?
I don't want to send packet ISE and stop 3 incorrect access like that ,Basically I don't want to busy ISE to handle this request -My Objective Firewall should stop the brute force attack before send packet to ISE
As It might be possible that attacker can run scrip without Cisco secure client -In that case OTP and certificate base authentication may not help us .
Need your advice to protect RA VPN from Brute force attack -Based on will finalize the design and device
Advice/Suggestion much appreciated
Regards
Debabrata
ā06-17-2024 06:00 AM
I am not entirely clear on where you are trying to stop the brute force attack? Is it on connecting to the RAVPN or brute force access to the firewall?
If you mean brute force against the RAVPN, the unfortunate fact of the matter is that there is no way of preventing users from sending authentication. What you can do, though, is limit the number of authentication attempts, enable 2factor authentication, and monitor login attempts.
ā06-23-2024 02:55 PM
Hi Marius,
My query was for brute force against the RAVPN ,I understood your recommendation. We are trying to enable as internal Certificate as posture checking must and MFA will be domain Domain credential + MS MFA -
Which one will be good -AAA is cisco ISE
option -1 -Posture checking with Internal CA certificate and Authentication will be through ISE "Domain Credential + MS MFA"
Option-2 - Authentication -Client certificate + through ISE Domain Credential + MS MFA
Please advice which one be most secure
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide