Re: Block VPN connections from specific geo locations

mpanderson1 · ‎05-20-2021

How can I block VPN client connections from specific geo locations? I have an access rule to block connections from specific geo locations but I am still seeing authentication attempts from blocked countries in my Radius logs.

Rob Ingram · ‎05-20-2021

@mpanderson1 The ACP controls traffic "through" the FTD, not for connections "to" the FTD, such as VPN.

So you cannot use Geolocation to control access to the FTD. You'd have to purchase another FTD and in place in front of your VPN FTD's, then the traffic would be going through the FTD and you can then use an ACP with geolocation.

Alternatively you could filter by IP address either on the upstream router or use flexconfig to apply a control plane ACL.

Marvin Rhoads · ‎05-21-2021

Also see this ENH (Enhancement) bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/?rfs=iqvred

Sascha K. · ‎07-18-2022

If i only want to allow one country e.g. Germany, there are more than 30000 lines of IP adresses. How do i handel that with control-plane ACL?

Rob Ingram · ‎07-18-2022

@Sascha K. well you would have to configure the control plane ACL with 30000 ACE or put an FTD in front your ASA, configure Geolocation on the FTD to permit traffic from Germany only and deny the rest.

Sascha K. · ‎07-18-2022

Is there an easy way to import 30000 ACE into FMC?

Marvin Rhoads · ‎07-18-2022

It could be done via API but you would have the burden on keeping track of new addresses as they are added into whatever listing or feed you use. Generally speaking it would be easier to separate the VPN termination onto a separate box behind the FTD (i.e., in a DMZ) and then, with a single rule in FTD that you never need to update (other than subscribing to the Cisco Geolocation feed updates), you could restrict the source geolocations.