cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1116
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA 5506-X FirePOWER Geolocation

Hi, 

I have configured my SPR to push traffic to the FirePOWER module and then configured the rules on the module to block outbound Geolocation restrictions. I have this working with no issue. 

I would like ot do the reverse. Any traffic coming inbound to the ASA that is sourcing from other counties I want to drop.

Everyone's tags (3)
3 REPLIES 3
Highlighted
VIP Advocate

I would assume it is as easy

I would assume it is as easy as creating another rule below your first GeoLocation rule but then select geolocation as the source network.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Rules-Network.html#20007

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Highlighted
Beginner

I have been testing in a lab

I have been testing in a lab and this is what I have found. First I should have prefaced this with I am trying to set this up for AnyConnect. I noticed that there is no real way to put an inbound acl in place for AnyConnect access, like you normally can with other protocols.

I adjusted my SPR to include all interfaces and now the external interface is flowing to the module and my rule for Geolocation is now working. What is not sitting right with me is traffic has already enterted the firewall and not being blocked at the edge. It seems this is either a bug or module does not handle traffuc at the edge because the SPR has to move the traffic there first for inspection.

Highlighted
Beginner

I am going to test removing

I am going to test removing sysopt connection permit-vpn, push my traffic to the module and go from there