cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
437
Views
6
Helpful
11
Replies

Disable All VPN Access on FTD

Matthew Martin
Level 5
Level 5

Hello All,

We've recently moved to a new VPN provider and we're at a point now where we are comfortable with this new service and can now disable VPN on the Firewall.

We have an FMC managing one FTD providing the VPN access.

On our ASA in another location we just disabled SSL Access and IPsec Access on the Access Interfaces. In the FMC I see a similar option to do this as well. See screenshot below.

If I uncheck both of these and click ok. After I deploy to the FTD, would that prevent anyone from attempting to connect to VPN on this box?

MatthewMartin_0-1715881722796.png

To me, it just seems like this would be the easiest way to disable, in a way that we could re-enable it if there was some sort of emergency and needed VPN access back through here?

Thanks,
Matt

1 Accepted Solution

Accepted Solutions

@Matthew Martin Normally I'd suggest deleting the connection profile, but seeing as you wish to keep RAVPN configured as an emergency, then your suggestion seems fine and would disable SSL/IPSec.

View solution in original post

11 Replies 11

What is FMC ver yoh use?

MHM

We are running 7.2.7 on both FMC and FTD.

-Matt

@Matthew Martin Normally I'd suggest deleting the connection profile, but seeing as you wish to keep RAVPN configured as an emergency, then your suggestion seems fine and would disable SSL/IPSec.

Thanks Rob. Ok great, thanks for confirming.

-Matt

Matthew Martin
Level 5
Level 5

Hmm.... I just unchecked both boxes and tried clicking Ok. When I click ok on the screenshot I provided, nothing happens. If both protocols are unchecked I get that red exclamation symbol next to "Protocol".

MatthewMartin_1-1715887164938.png

 

Maybe I need to click the Delete button next to the edit button on the Access Interfaces to do what I'm trying to do?

MatthewMartin_0-1715887123657.png

-Matt

That why I ask before, 

You disable access interface vpn ssl or ipsec from vpn profile, 

Remove all profile or disable it and that will automatically disable ssl abd ipsec vpn. 

MHM

How do I disable a Connection Profile?

I remember on ASA, if I wanted a Connection Profile to not show up as an option when logging in, I would just remove the Alias. Is that the same thing here?

Actually, I think I might have found what you were talking about... Is this it, in the Group Policy?

MatthewMartin_0-1715889137584.png

 

@Matthew Martin I checked my lab, you could unassign the FTD from the Remote Access Policy Assignment.RobIngram_1-1715937549375.png

It looks like you cannot just remove SSL and IPSec from the Group Policy, you must select at least one protocol.

If you are using a custom connection profile, you can disable the alias as below.

RobIngram_0-1715933528940.png

You could also try changing the access interface from the outside interface to another interface, thus disabling the VPN on the outside interface. You cannot remove all access interfaces, it won't allow you to push policy.

 

Sorry for the delay. Got pulled onto another project temporarily that I was working on the last few days.

So for each of the GPs I was able to uncheck both protocols. If I click into each GP now they show:

MatthewMartin_0-1716399584833.png

Also, I went into Advanced > then disabled the Alias' for each Connection Profile as well.

With all these settings disabled and such. Is there anyway someone would be able to get into VPN as this point?

Also, forgot to mention.Under Crypto Map for the outside_ig. I disabled the "Enable Client Services" option to disable access in a browser...

-Matt

@Matthew Martin use nmap and run it against your public IP address to get confirmation.