05-18-2021 03:11 AM
Dear All
We have enabled Remote Access VPN in our FTD/FMC solution and the address that our external users use is the Outside interface self-address.
What we want to implement is to deny connections from specific public IP Address and allow everything else.
At the moment there is no rule to allow or deny Incoming VPN traffic and the option "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" is disable.
Our Security policy does not contain specific allow rule for the incoming vpn connections and the default action (last rule in the security policy) is deny all,but incoming vpn connections are operational.
If security policy does not provide filtering for incoming vpn connections, how is it possible to filter them ?
Thanks in advance
Solved! Go to Solution.
05-18-2021 03:16 AM
@HI @stsag_080067084
The ACP won't filter this inbound VPN traffic to deny traffic from certain public IP address, because the ACP is for traffic "through" the FTD and not "to" the FTD itself.
Evidently you can use FlexConfig to apply a control plane ACL to the FTD or alternatively block traffic on the upstream router.
HTH
05-18-2021 03:16 AM
@HI @stsag_080067084
The ACP won't filter this inbound VPN traffic to deny traffic from certain public IP address, because the ACP is for traffic "through" the FTD and not "to" the FTD itself.
Evidently you can use FlexConfig to apply a control plane ACL to the FTD or alternatively block traffic on the upstream router.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide