Solved: block ip addresses that try to brute force into VPN

mikeyasg · ‎04-27-2023

Hello,

Starting from the last three weeks these IP Addresses are attempting to VPN into our network. In the ISE LiveLogs we can see that there are multiple attempts from these ip addresses. These IP addresses were added to the prefilter block rule on the FTD firewall. But still the authentication traffic is reaching the ISE server. shouldn't it be blocked the firewall.

Any ideas why this address is still able to attempt auth, even though it should be getting denied before it even gets that far?

Rob Ingram · ‎04-28-2023

@mikeyasg if the pre-filter rule you are referring to is configured on the FTD acting as the Remote Access VPN concentrator, then that will not work. The pre-filter and Access Control rules control traffic "through" the firewall and not "to" the firewall itself, so it cannot block those connections.

Rarely used, but you could use a control-plane ACL to deny the specific IP addresses and permit the rest of the remote access vpn connections. Example: https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

Or deny the traffic on the upstream ISP router.

View solution in original post

Rob Ingram · ‎04-28-2023

@mikeyasg if the pre-filter rule you are referring to is configured on the FTD acting as the Remote Access VPN concentrator, then that will not work. The pre-filter and Access Control rules control traffic "through" the firewall and not "to" the firewall itself, so it cannot block those connections.

Rarely used, but you could use a control-plane ACL to deny the specific IP addresses and permit the rest of the remote access vpn connections. Example: https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

Or deny the traffic on the upstream ISP router.

Marvin Rhoads · ‎04-28-2023

Agree with @Rob Ingram . Filter on an upstream router or terminate RA VPN on a firewall in the DMZ. then the Internet-facing firewall rules would apply to the incoming traffic.

Regarding Duo, generally the Duo configuration (whether SSO, Duo Auth Proxy or Duo Access Gateway) will be still trying to perform the first authentication against your primary authentication source - e.g., AD via ISE. So the attempts will still be logged by ISE (or AD if you bypass ISE for AuthC and only use it for AuthZ).

marce1000 · ‎04-28-2023

>...These IP addresses were added to the prefilter block rule on the FTD firewall.
- Depends on what you mean by that , guess that should not be 'prefilter block' , but just block or deny/drop (e.g.)

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

MHM Cisco World · ‎04-28-2023

this VPN is RAVPN or L2L VPN ?
if it L2L VPN then the solution is Control-plane
if it RAVPN then I think Duo can solve the issue <<- this I need to dive deep to check best solution for you but idea is the ASA make first auth and then send to ISE for second auth, here only the user that pass first Auth will send to ISE for more Auth, the ASA will drop other attempt

MHM Cisco World · ‎04-28-2023

Can I use Duo to protect ASA local account logins?

Absolutely! To protect users local to the ASA, with the Duo LDAPS configuration for SSL VPN, continue to use the "LOCAL" AAA Server Group for authentication and add the Duo LDAP AAA server group for secondary authentication.

To protect local ASA users connecting with the Duo RADIUS configuration for SSL VPN clients, use the duo_only_client and radius_server_duo_only configurations in your Authentication Proxy setup, and again continue to use the "LOCAL" AAA Server Group for authentication and add the Duo RADIUS AAA server group for secondary authentication.

https://duo.com/docs/cisco-faq

mikeyasg · ‎04-29-2023

The vpn is RAVPN and we are thinking to use control plane ACL as @Rob Ingram suggested. if it is applicable for RAVPN or blocking these ip on the upstream router. But blocking the traffic on upstream router would be adding the addresses everytime we face these issue.

Rob Ingram · ‎04-29-2023

@mikeyasg yes control-plane ACL works on RAVPN.

MHM Cisco World · ‎04-29-2023

Please can you confirm that

One IP is outside interface IP of FW

Other is IP from ravpn pool ??

mikeyasg · ‎05-02-2023

The outside interface is the vpn concentrator and the endpoint that is making the remote connection will get ip from the ravpn pool. But the screenshot that i shared is neither the outside interface nor the ip from the pool rather it is the ip address that belongs to the endpoint initiating the vpn connection.

MHM Cisco World · ‎05-02-2023

then if you sure that these IP is not OUT and VPN Pool
as other mention you can use ACL

Client-internet-ASA-INside-ISE
apply ACL to INside allow only Mgmt IP to send to ISE plus first IP of VPN Pool (for more sure allow all VPN Pool)
that it.
you will ask then how RAVPN connect to ISE , the RAVPN not direct connect to ISE for auth, the FW do this, FW work as proxy to auth RAVPN.

mikeyasg · ‎05-03-2023

Thank You all and @Rob Ingram We were able to use the control plane ACL and it was successful Thank You for your support.

MHM Cisco World · ‎05-03-2023

Sorry for my info.

What you permit and what you deny in control-plane acl??

willb1 · ‎04-17-2024

Having a router upstream from the FTD, wouldn't it be possible to create a correlation policy and use the Cisco IOS Null Route Module to automate blocking the offending IP's at the upstream router?

I began looking into this option this morning but am not clear as to how to create and associate the remediation step with the correlation policy.