I would assume it is as easy

vgulinolite · ‎01-20-2017

Hi,

I have configured my SPR to push traffic to the FirePOWER module and then configured the rules on the module to block outbound Geolocation restrictions. I have this working with no issue.

I would like ot do the reverse. Any traffic coming inbound to the ASA that is sourcing from other counties I want to drop.

Marius Gunnerud · ‎01-21-2017

I would assume it is as easy as creating another rule below your first GeoLocation rule but then select geolocation as the source network.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Rules-Network.html#20007

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

vgulinolite · ‎01-22-2017

I have been testing in a lab and this is what I have found. First I should have prefaced this with I am trying to set this up for AnyConnect. I noticed that there is no real way to put an inbound acl in place for AnyConnect access, like you normally can with other protocols.

I adjusted my SPR to include all interfaces and now the external interface is flowing to the module and my rule for Geolocation is now working. What is not sitting right with me is traffic has already enterted the firewall and not being blocked at the edge. It seems this is either a bug or module does not handle traffuc at the edge because the SPR has to move the traffic there first for inspection.

vgulinolite · ‎01-23-2017

I am going to test removing sysopt connection permit-vpn, push my traffic to the module and go from there

ASA 5506-X FirePOWER Geolocation