We are using a pair of ASA 5525-Xs for our remote-access and site-to-site VPNs. These devices are for the use of the staff of a school district, so 90+% of our connections are from the same city, plus a few vendors connecting in from other US cities. Since, no one will ever legitimately be connection from out of the US, I have been asked to block connections from non-US addresses.
The first proposed idea was a huge ACL with all of the US ip address ranges, which sounds like a hard-to-maintain mess than will slow things down. What are our best alternative solutions? Hardware solutions are OK.
For VPN connections to the ASA you can only use a control-plane ACL to permit/deny.
You cannot use the geolocation filtering that is available with the firepower module on the ASA or if you were running FTD image, as Gelocation filtering is available only for traffic "through" the firewall not "to" the ASA device.
A couple of options. You could use Cisco Duo for Two Factor authentication, this can filter by geolocation for RAVPN connections. Or purchase another firewall running FTD and place in front of the ASA performing VPN functions. Therefore this FTD in front of the ASA can filter the VPN traffic "through" the device.
I have a customer using the DUO option that Rob mention and it's working good for creating a geolocation based policy that let you choose from which locations a user can connect from. You will need the more advanced license ( I think it's called DUO Acess), so depending on how many users you have, it might be more cost effective to use a FTD in front instead. The DUO access license is about $6 per user/month.
This month, we're excited to bring awareness to a newly formed partnership between Cisco Secure and IBM.
Securing today's dynamic enterprise applications is critical. With hybrid and multi-cloud adoption, traditional network-based security ran into limita...
Listen: https://smarturl.it/CCRS8E42Follow us: twitter.com/CiscoChampion
APIClarity is an open source, cloud-native visibility tool for APIs. It utilizes a Service Mesh framework to capture and analyze API traffic and identify potential risks.
Hello everyone, A new video in the Cisco Secure Terraform Series has just been published. If you are interested in Infrastructure as Code, and Terraform, you don't want to miss out on this amazing series with Jason "Canadian Bacon" Maynard! Newe...
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...