Solved: Disable All VPN Access on FTD

Matthew Martin · ‎05-16-2024

Hello All,

We've recently moved to a new VPN provider and we're at a point now where we are comfortable with this new service and can now disable VPN on the Firewall.

We have an FMC managing one FTD providing the VPN access.

On our ASA in another location we just disabled SSL Access and IPsec Access on the Access Interfaces. In the FMC I see a similar option to do this as well. See screenshot below.

If I uncheck both of these and click ok. After I deploy to the FTD, would that prevent anyone from attempting to connect to VPN on this box?

To me, it just seems like this would be the easiest way to disable, in a way that we could re-enable it if there was some sort of emergency and needed VPN access back through here?

Thanks,
Matt

Rob Ingram · ‎05-16-2024

@Matthew Martin Normally I'd suggest deleting the connection profile, but seeing as you wish to keep RAVPN configured as an emergency, then your suggestion seems fine and would disable SSL/IPSec.

View solution in original post

MHM Cisco World · ‎05-16-2024

What is FMC ver yoh use?

MHM

Matthew Martin · ‎05-16-2024

We are running 7.2.7 on both FMC and FTD.

-Matt

Rob Ingram · ‎05-16-2024

@Matthew Martin Normally I'd suggest deleting the connection profile, but seeing as you wish to keep RAVPN configured as an emergency, then your suggestion seems fine and would disable SSL/IPSec.

Matthew Martin · ‎05-16-2024

Thanks Rob. Ok great, thanks for confirming.

-Matt

Matthew Martin · ‎05-16-2024

Hmm.... I just unchecked both boxes and tried clicking Ok. When I click ok on the screenshot I provided, nothing happens. If both protocols are unchecked I get that red exclamation symbol next to "Protocol".

Maybe I need to click the Delete button next to the edit button on the Access Interfaces to do what I'm trying to do?

-Matt

MHM Cisco World · ‎05-16-2024

That why I ask before,

You disable access interface vpn ssl or ipsec from vpn profile,

Remove all profile or disable it and that will automatically disable ssl abd ipsec vpn.

MHM

Matthew Martin · ‎05-16-2024

How do I disable a Connection Profile?

I remember on ASA, if I wanted a Connection Profile to not show up as an option when logging in, I would just remove the Alias. Is that the same thing here?

Matthew Martin · ‎05-16-2024

Actually, I think I might have found what you were talking about... Is this it, in the Group Policy?

Rob Ingram · ‎05-16-2024

@Matthew Martin I checked my lab, you could unassign the FTD from the Remote Access Policy Assignment.

It looks like you cannot just remove SSL and IPSec from the Group Policy, you must select at least one protocol.

If you are using a custom connection profile, you can disable the alias as below.

You could also try changing the access interface from the outside interface to another interface, thus disabling the VPN on the outside interface. You cannot remove all access interfaces, it won't allow you to push policy.

Matthew Martin · ‎05-22-2024

Sorry for the delay. Got pulled onto another project temporarily that I was working on the last few days.

So for each of the GPs I was able to uncheck both protocols. If I click into each GP now they show:

Also, I went into Advanced > then disabled the Alias' for each Connection Profile as well.

With all these settings disabled and such. Is there anyway someone would be able to get into VPN as this point?

Also, forgot to mention.Under Crypto Map for the outside_ig. I disabled the "Enable Client Services" option to disable access in a browser...

-Matt

Rob Ingram · ‎05-22-2024

@Matthew Martin use nmap and run it against your public IP address to get confirmation.

Bobby M · ‎12-11-2024

Trailing a bit - but wouldn't it be easier to change the Policy assignment and remove it from the active devices?