Solved: Re: how to limit remote vpn users to certain countries in fmc?

baselzind · ‎12-31-2020

i have asa+sfr+fmc

I need to allow remote vpn users only from certain countries in FMC, is it possible? is it like in the FMC access rule I put the remote vpn users subnet and the geolocation as a source?

Rob Ingram · ‎12-31-2020

ASA+SFR or FTD both support geolocation rules, BUT geolocation rules only apply for traffic going "through" the device. A Remote Access VPN terminates on the ASA/FTD itself, so geolocation rules never apply - as this traffic to establish the VPN tunnel is not going through the ASA. This is why you'd need another device that supports geolocation in front of your ASA running RAVPN.

On the ASA itself, it does support a control-plane ACL which would be attached to the outside interface. This filters traffic "to" the ASA itself, but not "through". However this is does not support geolocation, so you'd have to filter on IP, TCP or UDP. A normal ACL configured on an ASA filters traffic going "through" the ASA, usage of the control-plane ACL is rare.

Alternatively a 2FA solution such as DUO can filter traffic based on country of origin, so that way you could restrict the users authenticating.

View solution in original post

Rob Ingram · ‎12-31-2020

@baselzind

You cannot control access "to" the ASA+SFR itself by geolocation, this only works for traffic "through" the ASA+SFR or FTD. You'd need to put another FTD or ASA+SFR in front of the ASA running RAVPN and filter there.

HTH

baselzind · ‎12-31-2020

please I don't understand why i need extra ASA+SFR infront of my ASA+SFR which have remote vpn configured? cant i apply rules in the same ASA+SFR?

Rob Ingram · ‎12-31-2020

ASA+SFR or FTD both support geolocation rules, BUT geolocation rules only apply for traffic going "through" the device. A Remote Access VPN terminates on the ASA/FTD itself, so geolocation rules never apply - as this traffic to establish the VPN tunnel is not going through the ASA. This is why you'd need another device that supports geolocation in front of your ASA running RAVPN.

On the ASA itself, it does support a control-plane ACL which would be attached to the outside interface. This filters traffic "to" the ASA itself, but not "through". However this is does not support geolocation, so you'd have to filter on IP, TCP or UDP. A normal ACL configured on an ASA filters traffic going "through" the ASA, usage of the control-plane ACL is rare.

Alternatively a 2FA solution such as DUO can filter traffic based on country of origin, so that way you could restrict the users authenticating.

balaji.bandi · ‎12-31-2020

As per i know there is No Geo-filtering option available on ASA. In ASA, using ACL based rule is the only option available if you know the sources to block do so.

example :

http://resources.intenseschool.com/to-the-box-traffic-filtering-on-cisco-asa/

NGFW has this option not in ASA code.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

baselzind · ‎12-31-2020

but the fmc attached to the sfr+asa have geolocation in the access rules?

balaji.bandi · ‎12-31-2020

SFR is Sourcefire Module for the IPS Polices which you using FMC to Manage. VPN terminate at ASA.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎12-31-2020

Like @Rob Ingram said, using MFA with geofencing is the best current option. All of the leading MFA solutions (Duo, Okta, Microsoft etc.) support this feature.

Some organizations opt to put an ASA (or even ASAv ) in a DMZ behind the FTD device. You can then put FTD-based geolocation restrictions on the incoming Access Control Policy rule that allows access to the ASA interface that is providing the remote access VPN service.

JerryLarson7922 · ‎08-18-2021

hello, can I ask what solution was used to resolve this requirement? I have ftd's running on FMC as firewall and IPS?

thanks,

baselzind · ‎08-18-2021

there is no solution if you have asa , only solution is to replace asa with a firepower firewall

JerryLarson7922 · ‎08-20-2021

I was able to implement by using a control plane extended access list

baselzind · ‎08-30-2021

can you clarify how to implement for certain countries?

silvpietr · ‎04-05-2024

Hi!

It is very sad a vendor is asking you to multiply devices for features other vendors are offering on one box.

The explanation stays in the fact that VPN Traffic is processed BEFORE any ACP Module. Remember that Geolocation is something you configure in Access Control Policy inside Rules but that ACP will be triggered after the VPN traffic.

This being said, it still applies Geolocation but for your RAVPN clients which will be in a RFC1918 and you wont see any Geo Information there.

As other people said previously, using an MFA will make sure just the authorized users will be able to connect successfully but you won't be able to limit based on GeoIP those trying to establish a connection in the first place. An option is - as said before - to configure an ACL with all the IP's from GeoDB where you want them to block but unless you will automatize this process, it is not a feasible way to manage it and it will also have a performance impact due to the high volume of IPs in the ACL.

HTH

Marvin Rhoads · ‎08-31-2021

A control plane ACL will work if you don't mind managing hundreds or thousands of entries from a geolocation database of IP address to country mapping. This quickly becomes unmanageable unless you have some scripting or similar automation in place to update the information periodically.