08-09-2021 12:28 PM
We are using a pair of ASA 5525-Xs for our remote-access and site-to-site VPNs. These devices are for the use of the staff of a school district, so 90+% of our connections are from the same city, plus a few vendors connecting in from other US cities. Since, no one will ever legitimately be connection from out of the US, I have been asked to block connections from non-US addresses.
The first proposed idea was a huge ACL with all of the US ip address ranges, which sounds like a hard-to-maintain mess than will slow things down. What are our best alternative solutions? Hardware solutions are OK.
08-09-2021 12:39 PM
For VPN connections to the ASA you can only use a control-plane ACL to permit/deny.
You cannot use the geolocation filtering that is available with the firepower module on the ASA or if you were running FTD image, as Gelocation filtering is available only for traffic "through" the firewall not "to" the ASA device.
A couple of options. You could use Cisco Duo for Two Factor authentication, this can filter by geolocation for RAVPN connections. Or purchase another firewall running FTD and place in front of the ASA performing VPN functions. Therefore this FTD in front of the ASA can filter the VPN traffic "through" the device.
08-10-2021 05:15 AM - edited 08-10-2021 05:16 AM
I have a customer using the DUO option that Rob mention and it's working good for creating a geolocation based policy that let you choose from which locations a user can connect from. You will need the more advanced license ( I think it's called DUO Acess), so depending on how many users you have, it might be more cost effective to use a FTD in front instead. The DUO access license is about $6 per user/month.
/Chess
08-12-2021 11:09 AM
We're actually already using Duo. We wanted to do some geoblocking too. We're looking into something running pfsense in front of the VPN ASAs just for this purpose. Does anyone do that?
07-03-2022 06:14 PM - edited 07-13-2022 11:33 AM
I do take into account that WLC and AP has to have the same regulatory domain link. As in line with above cited, I've set the WLC us of a code to SG, but on my 802.11bg community it is -E and -SE respectively.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide