Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
0
Helpful
4
Replies

Sourcefire restricting Anyconnect VPM from Korea

Hulk8647
Level 1
Level 1

‎10-29-2020 05:57 AM

Hello,

We use Cisco anyconnect for our RA access. Right now, everyone can use anyconnect client and login to VPN from any country, is there a way to restrict logins from certain countries? First, is it even possible? My thought was Sourcefire only comes in play when you're already on the network not when you're trying to get on. If it is possible, will I be restricting anyconnect logins from anyconnect or will it just kill any traffic from those countries? Thank you

 

Cisco Firepower Management Center 750

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎10-29-2020 06:09 AM

Hi @Hulk8647 

You cannot configure geo rules on the local FTD (the FTD that is acting as the RAVPN headend device) to restrict anyconnect logins from certain countries.

You'd have to put another device in front of the RAVPN headend device, then you could restrict this access.

 

HTH

0 Helpful

Hulk8647
Level 1
Level 1
In response to Rob Ingram

‎10-29-2020 06:53 AM - edited ‎10-29-2020 06:54 AM

there is nothing I can do even on ASA? (5516) which is where that RA vpn is configured?

0 Helpful

Rob Ingram
VIP
VIP

‎10-29-2020 06:58 AM

You mentioned Sourcefire, I assume you meant you were running FTD. With ASA you can configure a control-plane ACL and applied to the outside interface, this however relies on you knowing the Korean IP address ranges.

 

Even if you had an FTD, you cannot use geo location rules for traffic destined to the device, only for traffic through the device.

 

HTH

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-29-2020 07:41 AM - edited ‎10-29-2020 07:42 AM

To confirm and further illustrate what @Rob Ingram is saying...

If you are using an ASA with Firepower service module as your VPN headend and firewall both then you cannot use the Geoblocking capability of Firepower to restrict VPN client addresses.

You can deny access to certain addresses or networks (using a control plane ACL) but very few people try to geoblock that way as it not generally practical to keep track of every address that comes from a certain country. (Firepower does that with a geolocation feed that is updated automatically every couple of weeks.)

If your ASA sits "behind" a Firepower Threat Defense (FTD) firewall (for example, in a DMZ) then you can restrict access to the ASA's outside interface with the geoblocking feature on the FTD device.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card