01-20-2017 12:58 PM - edited 03-12-2019 01:48 AM
Hi,
I have configured my SPR to push traffic to the FirePOWER module and then configured the rules on the module to block outbound Geolocation restrictions. I have this working with no issue.
I would like ot do the reverse. Any traffic coming inbound to the ASA that is sourcing from other counties I want to drop.
01-21-2017 01:00 PM
I would assume it is as easy as creating another rule below your first GeoLocation rule but then select geolocation as the source network.
--
Please remember to select a correct answer and rate helpful posts
01-22-2017 06:51 AM
I have been testing in a lab and this is what I have found. First I should have prefaced this with I am trying to set this up for AnyConnect. I noticed that there is no real way to put an inbound acl in place for AnyConnect access, like you normally can with other protocols.
I adjusted my SPR to include all interfaces and now the external interface is flowing to the module and my rule for Geolocation is now working. What is not sitting right with me is traffic has already enterted the firewall and not being blocked at the edge. It seems this is either a bug or module does not handle traffuc at the edge because the SPR has to move the traffic there first for inspection.
01-23-2017 12:24 PM
I am going to test removing sysopt connection permit-vpn, push my traffic to the module and go from there
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide