Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3829
Views
0
Helpful
1
Replies

Block IP addresses after too many failed VPN attempts

TJ-20933766
Spotlight
Spotlight

‎05-21-2017 09:10 PM

I've been curious to see if there is any mechanism in the ASA and/or router that would work similarly to the "login block-for" command but for remote access VPN. In short, I find lots of failed login attempts in the logs and I'd like to be able to block those IP addresses at least for a short amount of time so they do not just hammer the ASA/router trying to get in. Is there such a configuration?

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-21-2017 11:29 PM

I'm not aware of any such command or configuration you can do on the ASA or router natively.

I have seen one customer with an IDS creates a script that sends a shun command to the ASA and adds the source address to a blacklist ACL. I always thought that was more trouble than it was worth though, personally.

If there is an IPS upstream and the source of the failed attempts appears to be consistently from one or another country where you don't have any legitimate need for incoming communcations, you might be able to use a Geolocation blacklist to block all traffic from those locations.

0 Helpful
Customers Also Viewed These Support Documents