Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2692
Views
0
Helpful
4
Replies

Blocking non-US countries on a Cisco ASA 5525-X

spfister336
Level 2
Level 2

‎08-09-2021 12:28 PM

We are using a pair of ASA 5525-Xs for our remote-access and site-to-site VPNs. These devices are for the use of the staff of a school district, so 90+% of our connections are from the same city, plus a few vendors connecting in from other US cities. Since, no one will ever legitimately be connection from out of the US, I have been asked to block connections from non-US addresses.

 

The first proposed idea was a huge ACL with all of the US ip address ranges, which sounds like a hard-to-maintain mess than will slow things down. What are our best alternative solutions? Hardware solutions are OK.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎08-09-2021 12:39 PM

@spfister336 

For VPN connections to the ASA you can only use a control-plane ACL to permit/deny.

 

You cannot use the geolocation filtering that is available with the firepower module on the ASA or if you were running FTD image, as Gelocation filtering is available only for traffic "through" the firewall not "to" the ASA device.

 

A couple of options. You could use Cisco Duo for Two Factor authentication, this can filter by geolocation for RAVPN connections. Or purchase another firewall running FTD and place in front of the ASA performing VPN functions. Therefore this FTD in front of the ASA can filter the VPN traffic "through" the device.

 

0 Helpful

Chess_N
Level 1
Level 1

‎08-10-2021 05:15 AM - edited ‎08-10-2021 05:16 AM

I have a customer using the DUO option that Rob mention and it's working good for creating a geolocation based policy that let you choose from which locations a user can connect from. You will need the more advanced license ( I think it's called DUO Acess), so depending on how many users you have, it might be more cost effective to use a FTD in front instead. The DUO access license is about $6 per user/month. 

/Chess

0 Helpful

spfister336
Level 2
Level 2
In response to Chess_N

‎08-12-2021 11:09 AM

We're actually already using Duo. We wanted to do some geoblocking too. We're looking into something running pfsense in front of the VPN ASAs just for this purpose. Does anyone do that?

0 Helpful

timk2021
Level 1
Level 1

‎07-03-2022 06:14 PM - edited ‎07-13-2022 11:33 AM

I do take into account that WLC and AP has to have the same regulatory domain link. As in line with above cited, I've set the WLC us of a code to SG, but on my 802.11bg community it is -E and -SE respectively.

0 Helpful
Customers Also Viewed These Support Documents