GEO Blocking 5508 w/ Firepower

lmqtechnology · ‎06-22-2018

We setup GEO blocking in Firepower which appears to be triggering events, however the blocked countries can still ping outside interface of ASA? Is this correct? or should I be seeing this blocked also?

yogdhanu · ‎06-23-2018

Hi

I am assuming you have blocked the geo blocking on firepower module on ASA.

Then the behavior is expected and outside world would be able to ping ASA outside interface as that connection would not be passed on to SFR.

Hope it helps,

yogesh

lmqtechnology · ‎06-23-2018

Thank you for your reply, so does that mean that you cannot block Anyconnect access through GEO blocking either? Is the only traffic that is blocked that which actually passes "through" e.g. a server with an external NAT mapping?

Marvin Rhoads · ‎06-23-2018

Correct - "to the box" traffic would not hit a policy with geoblocking rules.

Only "through the box" traffic would do so.

croll9898 · ‎07-13-2018

How would you achieve AnyConnect Geo-location blocking?

Marvin Rhoads · ‎07-13-2018

To block AnyConnect clients based on geolocation you would need to have an upstream router, firewall or IPS performing the function.

What is the business need? If an otherwise legitimate client is abroad do you want to block them? Do you just not want clients in certain countries to even be able to try to connect?

Is there a legal or regulatory requirement you are needing to comply with?

croll9898 · ‎08-03-2018

We're a smaller company, so VPN access from nearly all non US based locations would be suspicious. Anyone who does go abroad is required (but it doesn't always happen) to notify our helpdesk so the proper cellular plan can be given to your phone and we'd update our policy to include VPN access.

croll9898 · ‎08-03-2018

We're a smaller company, so VPN access from nearly all non US based locations would be suspicious. Anyone who does go abroad is required (but it doesn't always happen) to notify our helpdesk so the proper cellular plan can be given to your phone and we'd update our policy to include VPN access.

gamoore · ‎12-18-2019

Hi Marvin,

I have the exact use-case, a request to block non-United States locations from VPN access via AnyConnect. Is your answer still the case, we would have to have at upstream device do this blocking?

If we disabled sys-opt connection and force VPN traffic to be evaluated via ACL, would that work?

Thanks

gamoore · ‎12-18-2019

BTW, the platform is FTD 2100 instead of 5508.

Marvin Rhoads · ‎12-18-2019

That's correct. Only traffic passing through a Firepower device is affected by the Access Control Policies (ACPs).

You can build a control-plane ACL which applies to an interface itself but that has to be done via Flexconfig and can only use the classic 5-tuple logic and not the more advanced Layer 7 type of syntax. Also it is not able to include things like geolocation like we can in a regular Firepower ACP.

See also this thread: https://community.cisco.com/t5/firewalls/ftd-remote-access-vpn-restriction/td-p/3765784