06-03-2021 07:34 AM
Hey guys, we have a Cisco ASA 5525-X without Firepower services. We only use this device for AnyConnect and a few remote site-to-site VPN's for home offices.
This morning we noticed authentication attempts from a Russian IP and quickly created an access list on the outside interface control-plane to deny it. However I know a better practice would be to block by geolocation. Our primary firewall has FirePower and in our FMC we block by GeoLocation.
Curious if there is an easy way to block by geolocation on an ASA without Firepower without an extensive list? Guessing no, but also curious if anyone has any other solutions? We are trying to get approval for a MFA but not going well with our management staff. This may help tip the tides in our favor to get something like Duo.
Solved! Go to Solution.
06-03-2021 07:37 AM
Never Mind, I found another thread that said you cannot block by GeoLocation without the FirePower piece on an ASA.
06-03-2021 07:37 AM
Never Mind, I found another thread that said you cannot block by GeoLocation without the FirePower piece on an ASA.
06-03-2021 07:40 AM
Not really no. Using a control-plane ACL is the best you can do on the ASA. The alternatives are place an FTD in front of your ASA RAVPN so you can filter on geolocation, put an ACL on the upstream router (requires an extensive list) or as you already suggested use Duo, which can restrict on geolocation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide