Can CISCO ASA locate anyconnect geographically and block access if the client is out of the country.

john.ebrahim83 · ‎05-27-2013

can any one tel me that is it possible to restrict the access of a cisco anyconnect client based on its location. for example one guy is on vacation out of the country and tries to access the cooperate network, however until now he can access until admin blocks him.

Since cisco has ASA X series firewall having this feature, please tell me how can i implement it in ASA X series firewall and is it possible with simple ASA series 5500 series firewall having software version 9.0.

Your response will be highly appriciated.

Jouni Forss · ‎05-27-2013

Hi,

Only thing that I can think of related to the ASA itself would be to configure a "control-plane" ACL that blocks the TCP/443 connections to the ASA based on the source IP address.

That would either be only allowing your countrys allocated IP addresses space or blocking all the rest.

Either way I imagine it migth be messy configuration.

I dont know if ASA together with some other devices/services could do this a bit more cleanly. I have never had to do this so I cant say.

- Jouni

john.ebrahim83 · ‎05-27-2013

hi jouni,

you are absolutely right, but that is the plane old way of block since cisco announced ASA CX firewall which is a revolutionary big change. it has so many features. do see some on youtube about ASA CX context-aware firewall (next generation firewall).

Jouni Forss · ‎05-27-2013

Hi,

Sadly I am still waiting for my ASA5500-X unit with ASA-CX.

My employer will probably be ordering one for me for testing purposes.

The "wheels of bureaucracy" just keep turning quite slow so I am still waiting

Though eager to get it in my hands so I can test it. I havent seen that many posts on the CSC about it though. Mostly people asking about the licensing and installation and required hardware setup. Not really any questions about the configurations.

- Jouni

Jennifer Halim · ‎05-28-2013

Hi John,

Jouni is absolutely correct, the only way to do it is via control plane ACL restricting it base on IP.

ASA CX is more on outbound web filtering and AVC capabilities, and no change as far as AnyConnect is concern.

Karsten Iwen · ‎05-28-2013

I see an additional way to Jounis suggestion with CP-ACLs, but you probably need some quite strong programming-skills:

The ASA has the Dynamic Access Policies (DAP) which can be controlled with Lua-Scripts. In this scripts you can match on connection settings and change your VPN-environment based on these settings or even terminate the connection.

There are a couple of GeoIP-Libraries available for Lua like http://geoip.luaforge.net/. If these could be integrated into these scripts, then you should be able to only allow to connect from certain countries.

But I see problems to keep the geo-IP-database up to date with that approach as I don't know if these scripts are alowed to build outbound connections. Probably it's not worth the effort.

EDIT: Another approach: with a Radius-Server like FreeRadius you can define Policies in scripts (like python or perl). These scripts could query a geo-IP database for the client-IP and reject or allow the connection based on the location.

Sent from Cisco Technical Support iPad App