Showing results for 
Search instead for 
Did you mean: 

Sourcefire restricting Anyconnect VPM from Korea



We use Cisco anyconnect for our RA access. Right now, everyone can use anyconnect client and login to VPN from any country, is there a way to restrict logins from certain countries? First, is it even possible? My thought was Sourcefire only comes in play when you're already on the network not when you're trying to get on. If it is possible, will I be restricting anyconnect logins from anyconnect or will it just kill any traffic from those countries? Thank you


Cisco Firepower Management Center 750

4 Replies 4

Hi @Hulk8647 

You cannot configure geo rules on the local FTD (the FTD that is acting as the RAVPN headend device) to restrict anyconnect logins from certain countries.

You'd have to put another device in front of the RAVPN headend device, then you could restrict this access.



there is nothing I can do even on ASA? (5516) which is where that RA vpn is configured?

You mentioned Sourcefire, I assume you meant you were running FTD. With ASA you can configure a control-plane ACL and applied to the outside interface, this however relies on you knowing the Korean IP address ranges.


Even if you had an FTD, you cannot use geo location rules for traffic destined to the device, only for traffic through the device.



Marvin Rhoads
Hall of Fame
Hall of Fame

To confirm and further illustrate what @Rob Ingram is saying...

If you are using an ASA with Firepower service module as your VPN headend and firewall both then you cannot use the Geoblocking capability of Firepower to restrict VPN client addresses.

You can deny access to certain addresses or networks (using a control plane ACL) but very few people try to geoblock that way as it not generally practical to keep track of every address that comes from a certain country. (Firepower does that with a geolocation feed that is updated automatically every couple of weeks.)

If your ASA sits "behind" a Firepower Threat Defense (FTD) firewall (for example, in a DMZ) then you can restrict access to the ASA's outside interface with the geoblocking feature on the FTD device.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: