05-20-2021 11:37 AM
How can I block VPN client connections from specific geo locations? I have an access rule to block connections from specific geo locations but I am still seeing authentication attempts from blocked countries in my Radius logs.
05-20-2021 11:45 AM - edited 05-20-2021 11:45 AM
@mpanderson1 The ACP controls traffic "through" the FTD, not for connections "to" the FTD, such as VPN.
So you cannot use Geolocation to control access to the FTD. You'd have to purchase another FTD and in place in front of your VPN FTD's, then the traffic would be going through the FTD and you can then use an ACP with geolocation.
Alternatively you could filter by IP address either on the upstream router or use flexconfig to apply a control plane ACL.
05-21-2021 10:35 AM
Also see this ENH (Enhancement) bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs65322/?rfs=iqvred
07-18-2022 01:06 AM
If i only want to allow one country e.g. Germany, there are more than 30000 lines of IP adresses. How do i handel that with control-plane ACL?
07-18-2022 01:11 AM
@Sascha K. well you would have to configure the control plane ACL with 30000 ACE or put an FTD in front your ASA, configure Geolocation on the FTD to permit traffic from Germany only and deny the rest.
07-18-2022 05:31 AM
Is there an easy way to import 30000 ACE into FMC?
07-18-2022 05:43 AM
It could be done via API but you would have the burden on keeping track of new addresses as they are added into whatever listing or feed you use. Generally speaking it would be easier to separate the VPN termination onto a separate box behind the FTD (i.e., in a DMZ) and then, with a single rule in FTD that you never need to update (other than subscribing to the Cisco Geolocation feed updates), you could restrict the source geolocations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide