cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
467
Views
0
Helpful
3
Replies
spfister336
Beginner

Blocking non-US countries on a Cisco ASA 5525-X

We are using a pair of ASA 5525-Xs for our remote-access and site-to-site VPNs. These devices are for the use of the staff of a school district, so 90+% of our connections are from the same city, plus a few vendors connecting in from other US cities. Since, no one will ever legitimately be connection from out of the US, I have been asked to block connections from non-US addresses.

 

The first proposed idea was a huge ACL with all of the US ip address ranges, which sounds like a hard-to-maintain mess than will slow things down. What are our best alternative solutions? Hardware solutions are OK.

3 REPLIES 3
Rob Ingram
VIP Mentor

@spfister336 

For VPN connections to the ASA you can only use a control-plane ACL to permit/deny.

 

You cannot use the geolocation filtering that is available with the firepower module on the ASA or if you were running FTD image, as Gelocation filtering is available only for traffic "through" the firewall not "to" the ASA device.

 

A couple of options. You could use Cisco Duo for Two Factor authentication, this can filter by geolocation for RAVPN connections. Or purchase another firewall running FTD and place in front of the ASA performing VPN functions. Therefore this FTD in front of the ASA can filter the VPN traffic "through" the device.

 

Chess_N
Beginner

I have a customer using the DUO option that Rob mention and it's working good for creating a geolocation based policy that let you choose from which locations a user can connect from. You will need the more advanced license ( I think it's called DUO Acess), so depending on how many users you have, it might be more cost effective to use a FTD in front instead. The DUO access license is about $6 per user/month. 

/Chess

We're actually already using Duo. We wanted to do some geoblocking too. We're looking into something running pfsense in front of the VPN ASAs just for this purpose. Does anyone do that?