We are using a pair of ASA 5525-Xs for our remote-access and site-to-site VPNs. These devices are for the use of the staff of a school district, so 90+% of our connections are from the same city, plus a few vendors connecting in from other US cities. Since, no one will ever legitimately be connection from out of the US, I have been asked to block connections from non-US addresses.
The first proposed idea was a huge ACL with all of the US ip address ranges, which sounds like a hard-to-maintain mess than will slow things down. What are our best alternative solutions? Hardware solutions are OK.
For VPN connections to the ASA you can only use a control-plane ACL to permit/deny.
You cannot use the geolocation filtering that is available with the firepower module on the ASA or if you were running FTD image, as Gelocation filtering is available only for traffic "through" the firewall not "to" the ASA device.
A couple of options. You could use Cisco Duo for Two Factor authentication, this can filter by geolocation for RAVPN connections. Or purchase another firewall running FTD and place in front of the ASA performing VPN functions. Therefore this FTD in front of the ASA can filter the VPN traffic "through" the device.
I have a customer using the DUO option that Rob mention and it's working good for creating a geolocation based policy that let you choose from which locations a user can connect from. You will need the more advanced license ( I think it's called DUO Acess), so depending on how many users you have, it might be more cost effective to use a FTD in front instead. The DUO access license is about $6 per user/month.
We’re excited to announce new capabilities with Secure Endpoint that allow you to simplify your security and maximize your security operations: Unify your security stack and reduce agent fatigue with Cisco Secure Client; harness integrated risk-based vuln...
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/CiscoChampion
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of di...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...