Solved: Re: Block by geolocation without firepower

Travis-Fleming · ‎06-03-2021

Hey guys, we have a Cisco ASA 5525-X without Firepower services. We only use this device for AnyConnect and a few remote site-to-site VPN's for home offices.

This morning we noticed authentication attempts from a Russian IP and quickly created an access list on the outside interface control-plane to deny it. However I know a better practice would be to block by geolocation. Our primary firewall has FirePower and in our FMC we block by GeoLocation.

Curious if there is an easy way to block by geolocation on an ASA without Firepower without an extensive list? Guessing no, but also curious if anyone has any other solutions? We are trying to get approval for a MFA but not going well with our management staff. This may help tip the tides in our favor to get something like Duo.

Travis-Fleming · ‎06-03-2021

Never Mind, I found another thread that said you cannot block by GeoLocation without the FirePower piece on an ASA.

View solution in original post

Travis-Fleming · ‎06-03-2021

Never Mind, I found another thread that said you cannot block by GeoLocation without the FirePower piece on an ASA.

Rob Ingram · ‎06-03-2021

@Travis-Fleming

Not really no. Using a control-plane ACL is the best you can do on the ASA. The alternatives are place an FTD in front of your ASA RAVPN so you can filter on geolocation, put an ACL on the upstream router (requires an extensive list) or as you already suggested use Duo, which can restrict on geolocation.