Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
0
Helpful
3
Replies

Cisco FTD&FMC: restrict access for some external IP addresses to RA VPN

Go to solution
mofnoc
Beginner
Beginner

‎05-20-2021 06:52 AM

Hello!

How can I restrict access for some external IP addresses or may be gelocation to RA VPN address on FTD?

I have FTD controlled by FMC version 6.6.1. Prefilter and access control policy didn't affected.

Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎05-20-2021 06:59 AM

@mofnoc 

Pre-filter and ACP control traffic "through" the FTD, not for connections "to" the FTD, such as RAVPN.

 

So you cannot use Geolocation to control access to the FTD. You'd have to purchase another FTD and in place in front of your RAVPN FTD's, then the traffic would be going through the FTD and you can then use an ACP with geolocation.

 

Alternatively you could filter by IP address either on the upstream router or use flexconfig to apply a control plane ACL.

View solution in original post

0 Helpful

Go to solution
rschlayer
Enthusiast
Enthusiast

‎06-01-2021 01:47 AM

Starting with Firepower (and FMC) 7.0 you could use Dynamic Access Policies to block known IP addresses from trying to VPN to your network. GEO blocking is sadly not possible.
See this enhancement here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎05-20-2021 06:59 AM

@mofnoc 

Pre-filter and ACP control traffic "through" the FTD, not for connections "to" the FTD, such as RAVPN.

 

So you cannot use Geolocation to control access to the FTD. You'd have to purchase another FTD and in place in front of your RAVPN FTD's, then the traffic would be going through the FTD and you can then use an ACP with geolocation.

 

Alternatively you could filter by IP address either on the upstream router or use flexconfig to apply a control plane ACL.

0 Helpful

Go to solution
rschlayer
Enthusiast
Enthusiast

‎06-01-2021 01:47 AM

Starting with Firepower (and FMC) 7.0 you could use Dynamic Access Policies to block known IP addresses from trying to VPN to your network. GEO blocking is sadly not possible.
See this enhancement here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/

0 Helpful

Go to solution
Jack G
Beginner
Beginner
In response to rschlayer

‎01-30-2023 02:55 PM

Are you sure it requires 7.0? Unless something changed, looks like it's just an ACL and Flexconfig per your link..?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents