Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
2
Helpful
4
Replies

FTD Remote Access VPN Filtering

dm2020
Level 1
Level 1

‎05-22-2024 12:02 PM - edited ‎05-22-2024 12:03 PM

Hi All,

I'm currently deploying Cisco Secure Client Remote Access VPN on FTD and I'm trying to decide if to use the Access Control Policy for filtering VPN traffic or if to bypass the Access Control Policy (sysopt connection permit-vpn) and use traditional ACL

I was leaning towards the ACP as this will allow more granular filtering (user identity, ips etc), however I noticed the following security consideration within the AnyConnect Remote Access VPN on FTD Guide.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

Security considerations
By default, the sysopt connection permit-vpn option is disabled. This means, that you need to allow the traffic that comes from the pool of addresses on outside interface via Access Control Policy. Although the pre-filter or access-control rule is added to allow VPN traffic only, if clear-text traffic happens to match the rule criteria, it is erroneously permitted.

There are two approaches to this problem. First, TAC recommended option, is to enable Anti-Spoofing (on ASA it was known as Unicast Reverse Path Forwarding - uRPF) for outside interface, and secondly, is to enable sysopt connection permit-vpn to bypass Snort inspection completely. The first option allows a normal inspection of the traffic that goes to and from VPN users.

Based on the above, to allow traffic from RAVPN (which is on the outside network) to my internal servers I would need to add a rule similar to the following which will allow any traffic from my RAVPN Pool on the outside network to my inside servers. Is this a valid security concern and can this be subject to spoofing? Has anyone else configured this before without any concerns or issues?

Source Zone: Outside

Source Network: RAVPN_Pool (192.168.1.0/24)

Destination Zone: Inside

Destination Network: Servers

Labels:
4 Replies 4

MHM Cisco World
VIP
VIP

‎05-22-2024 12:14 PM

No need ACP you can use traffic filter in advanced tab of vpn profile

MHM

Rob Ingram
VIP
VIP

‎05-22-2024 12:52 PM - edited ‎05-22-2024 12:58 PM

@dm2020 defining rules in the Access Control Policy is the standard/recommended method to permit traffic over the VPN, as you mentioned you can then apply L7 filters or use user authentication in the rules (if required).

The sysopt connection permit-vpn command is a global command, meaning if you enable/disable it for RAVPN it will be enabled/disabled for other VPNs.

0 Helpful

dm2020
Level 1
Level 1
In response to Rob Ingram

‎05-22-2024 03:22 PM

Thanks Rob,

I suppose what I'm trying to work out is the risk of using the ACP as we have to configure outside to inside rules although with the private RAVPN pool specified as the source network as opposed to a public address. Is spoofing as detailed in the above Cisco document a legitimate risk? If so, to lessen that risk, should we apply L7 filters and user auth in the rules as you say, along with anti-spoofing as per the TAC recommendation in the document?

 

0 Helpful

Rob Ingram
VIP
VIP
In response to dm2020

‎05-22-2024 11:03 PM

@dm2020 hopefully your ISP should block RFC1918 address space, so any spoofed traffic from outside would be dropped before it hits the FTD. Certainly apply uRPF as Cisco recommend, configuring user authentication is a bonus and worthwhile anyway.

0 Helpful
Customers Also Viewed These Support Documents