Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
3
Helpful
5
Replies

S2S vpn and RA vpn

Debabrata Majhi
Level 1
Level 1

‎05-20-2024 02:22 PM

Hi All,

In our current environment S2S vpn is running on 7.2.5 with two interface -outside and inside .Now we want to enable RAVPN in same ftd instance and want use same public ip for RAVPN and S2S vpn.

Need your expert opinion  -Is there any problem to use same FTD for the both vpn ? 

Will use ISE as AAA with saml  base authentication and posture with ISE for certificate and windows defender 

Any suggestion much appreciated 

Thanks

Deb

 

 

 

 

0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎05-20-2024 02:33 PM

Need your expert opinion -Is there any problem to use same FTD for the both vpn ?

There is no issue in using the same FTD for both RA VPN and S2S VPN.  In fact it is a very common scenario.  However, if you have a server using HTTPS and traffic from internet is being NATed to it using the outside interface IP, you will need to configure a different port for RA VPN.

 

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World
VIP
VIP

‎05-20-2024 09:08 PM

There is no issue at all

Ipsec use udp port 500/4500 

Ssl use tcp 443 

And that make ftd simply can differentiate between two vpn.

MHM

Debabrata Majhi
Level 1
Level 1

‎06-16-2024 01:24 AM

Hi all,

Thanks for all your advice ,

However we are exploring now to use RA VPN instance which will put behind another firewall

Flow -External user -Permitter firewall FTD -RA VPN firewall FTD -

AAA-Cisco ISE -Mostly Authentication Certificate + OTP 

Now our main concern is how to protect the Brute force attack ,We want to stop brute force attack from Perimeter firewall 

We have IPS Policy in Permitter  firewall  -

My queries  IPS Policy enough to stop brute force attack ? or We need something more Like we need to enable WAF layer before entering packet to RA VPN ?

I don't want to send packet ISE and stop 3 incorrect access like that ,Basically I don't want to busy ISE to handle this request -My Objective Firewall should stop the brute force attack before send packet to ISE 

As It might be possible that attacker can run scrip without Cisco secure client -In that case  OTP and certificate base authentication may not help us .

Need your advice to protect RA VPN from Brute force attack -Based on will finalize the design and device 

Advice/Suggestion much appreciated

Regards

Debabrata

 

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Debabrata Majhi

‎06-17-2024 06:00 AM

I am not entirely clear on where you are trying to stop the brute force attack?  Is it on connecting to the RAVPN or brute force access to the firewall?

If you mean brute force against the RAVPN, the unfortunate fact of the matter is that there is no way of preventing users from sending authentication.  What you can do, though, is limit the number of authentication attempts, enable 2factor authentication, and monitor login attempts.

--
Please remember to select a correct answer and rate helpful posts

Debabrata Majhi
Level 1
Level 1
In response to Marius Gunnerud

‎06-23-2024 02:55 PM

Hi Marius,

My query was for brute force against the RAVPN ,I understood your recommendation. We are trying to enable as internal Certificate as posture checking must and MFA will be domain Domain credential + MS MFA - 

Which one will be good -AAA is cisco ISE

option -1  -Posture checking with Internal CA certificate and  Authentication will be through ISE  "Domain Credential  + MS MFA" 

Option-2 - Authentication  -Client certificate + through ISE Domain Credential  + MS MFA

Please advice which one be most secure 

Thanks

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card