We use Cisco anyconnect for our RA access. Right now, everyone can use anyconnect client and login to VPN from any country, is there a way to restrict logins from certain countries? First, is it even possible? My thought was Sourcefire only comes in play when you're already on the network not when you're trying to get on. If it is possible, will I be restricting anyconnect logins from anyconnect or will it just kill any traffic from those countries? Thank you
You mentioned Sourcefire, I assume you meant you were running FTD. With ASA you can configure a control-plane ACL and applied to the outside interface, this however relies on you knowing the Korean IP address ranges.
Even if you had an FTD, you cannot use geo location rules for traffic destined to the device, only for traffic through the device.
To confirm and further illustrate what @Rob Ingram is saying...
If you are using an ASA with Firepower service module as your VPN headend and firewall both then you cannot use the Geoblocking capability of Firepower to restrict VPN client addresses.
You can deny access to certain addresses or networks (using a control plane ACL) but very few people try to geoblock that way as it not generally practical to keep track of every address that comes from a certain country. (Firepower does that with a geolocation feed that is updated automatically every couple of weeks.)
If your ASA sits "behind" a Firepower Threat Defense (FTD) firewall (for example, in a DMZ) then you can restrict access to the ASA's outside interface with the geoblocking feature on the FTD device.