Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
3
Helpful
6
Replies

AnyConnect VPN with Geo-Filtering and Multiple ISPs

ALI12
Level 1
Level 1

‎10-23-2024 07:18 AM

Hi everyone,

We are currently using Cisco AnyConnect VPN, and recently, we've observed persistent brute-force attacks originating from various countries. To mitigate this, We decided to implement a geographical filter to limit access.

Here's the approach I took:

We have a secondary firewall from another vendor that supports geographical filtering.
I configured a connection between the two firewalls, mapping the public IP associated with ISP-1 on FW GeoFilter  to the ASA DMZ  interface. This setup is working well, and AnyConnect access is now restricted to specific countries.

Now, I would like to use another public IP, which is tied to ISP-2. However, the default route is set to ISP-1.

Is there a way to utilize the ISP-2 public IP for AnyConnect without changing the default route, which remains on ISP-1?

Thanks in advance for your insights!

ALI12_0-1729696324044.png

 

 

Labels:
Preview file
53 KB
0 Helpful
6 Replies 6

ALI12
Level 1
Level 1
In response to MHM Cisco World

‎10-30-2024 05:52 AM

@MHM Cisco World 
Thank you for your input.

While FTD is a great solution for geographical filtering in front of the firewall, it is currently unavailable within the company.
As a temporary measure, we utilizing the control plane to mitigate the brute-force attacks.

0 Helpful

MHM Cisco World
VIP
VIP
In response to ALI12

‎10-30-2024 05:56 AM

As I know geo filtering is not work for traffic direct to FTD.

So check cisco doc. About this issue 

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

MHM

ALI12
Level 1
Level 1
In response to MHM Cisco World

‎10-30-2024 06:05 AM

I'll review the document. Thank you @MHM Cisco World 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎10-29-2024 01:04 PM

Hi,

    One solution would be to use two default routes, which I understand you want to avoid. The other solution is to use policy based routing for all your non-VPN traffic towards the Internet (so routing table will not be used for this traffic) and shift the default route to  ISP-2 which will allow your VPN connections to be established. Ensure that VPN traffic coming from inside the network and going through VPN tunnels is NOT subject to your PBR policy; otherwise, VPN connection gets established (control-plane) however data-plane will fail as incoming traffic as from ISP-2 but outgoing traffic ends uo being policy routed via ISP-1 and actually gets dropped.

Best,

Cristian.

ALI12
Level 1
Level 1
In response to Cristian Matei

‎10-30-2024 06:00 AM

@Cristian Matei 
Thank you for your insights. I appreciate your suggestion regarding the use of two default routes with policy-based routing (PBR). As you mentioned, enabling the route-map or PBR is essential to implement this solution effectively.

0 Helpful
Customers Also Viewed These Support Documents