Solved: Unable to filter Incoming SSL/IPSEC VPN on FTD

stsag_080067084 · ‎05-18-2021

Dear All

We have enabled Remote Access VPN in our FTD/FMC solution and the address that our external users use is the Outside interface self-address.

What we want to implement is to deny connections from specific public IP Address and allow everything else.

At the moment there is no rule to allow or deny Incoming VPN traffic and the option "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" is disable.

Our Security policy does not contain specific allow rule for the incoming vpn connections and the default action (last rule in the security policy) is deny all,but incoming vpn connections are operational.

If security policy does not provide filtering for incoming vpn connections, how is it possible to filter them ?

Thanks in advance

Rob Ingram · ‎05-18-2021

@HI @stsag_080067084

The ACP won't filter this inbound VPN traffic to deny traffic from certain public IP address, because the ACP is for traffic "through" the FTD and not "to" the FTD itself.

Evidently you can use FlexConfig to apply a control plane ACL to the FTD or alternatively block traffic on the upstream router.

HTH

View solution in original post

Rob Ingram · ‎05-18-2021

@HI @stsag_080067084

The ACP won't filter this inbound VPN traffic to deny traffic from certain public IP address, because the ACP is for traffic "through" the FTD and not "to" the FTD itself.

Evidently you can use FlexConfig to apply a control plane ACL to the FTD or alternatively block traffic on the upstream router.

HTH