I have a customer who is wondering if there is a way to use geo-blocks to block specific countries from trying to hit the SSL-VPN due to brute force attempts. I don’t really know of a way that this could be done on the ASA or if it’s even really possible? I don’t really see the point in this either as they could easily just spoof the IP. Any thoughts?
Years ago I did some testing in the ASA and used the Country IP Blocks web site to create a list of prefixes used by China in the “Cisco bit bucket” format, which is really just a bunch of IOS Null0 routes. I did some simple find/replace editing to turn those routes into the equivalent Null0 routes for the ASA, and also enabled Reverse Path Filtering with the “ip verify reverse-path” command. My reasoning was that route lookups is one of the most highly optimized processes in a Layer 3 device so this was not likely to be any slower than ACL processing. The benefit of the Reverse Path Filtering feature is that any incoming traffic originating from any prefix in the list of Null0 routes will be dropped, since it’s not entering the ASA from the actual Null0 interface, and that feature worked as I hoped it would. I also ended up writing a simple Python script to aggregate all the Null0 routes down to the shortest equivalent list of prefixes, which significantly reduced the number of those routes by about 50%. All of this worked as expected, and I could not generate enough test traffic to cause any detectable hit to the CPU, so this appears to be a reasonably efficient way to drop traffic. The one downside to this is that it makes the config really big so doing a “show run” can be pretty inconvenient, but it’s easy to use “show run | excl Null0” to not see all those routes so it’s not too big of an issue.
So, while this may be close to the functionality you’re looking for, it’s a bit of a hack and is somewhat manually intensive unless you were to put some work into automating the generation of the Country IP Blocks. Whether this is worth the trouble is debatable, since bad actors from other countries can just use domestic servers as sources of their attacks, so GeoIP blocking is of questionable value. Even so, it was an interesting academic exercise from back when I was working with the ASA a lot, so I figured I’d share it.
Good luck!
Most effective method is to use SAML auth to Duo and implement Geo fencing policy on Duo. (Of course you can use a competitor’s SAML solution to do this instead if you prefer).
Apply an access list to the control plane
I did this and it worked.
- Generate a country you want to allow, ie USA. Generate using “network object” on Block Visitors by Country | IP2Location
- At the beginning of the list put something like:
object-group network GEO_USA_IP_Ranges
description All Addresses of USA - paste everything via SSH
- I used ASDM, i allowed this list in Management Access Rules and denied the any any after. Or heres an example via CLI:
access-list outside_access_in_2 extended permit ip object-group GEO_USA_IP_Ranges any access-list outside_access_in_2 extended deny ip any any
access-group outside_access_in_2 in interface outside control-plane - No one outside the USA is able to establish a VPN connection anymore
One caveat, if you use ASDM, you’ll have problems loading everything, you have to modify the run.bat file and increase the heap memory size, heres my run.bat:
start javaw.exe -Xms256m -Xmx1024m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher cert.PEM
How do you think IP spoofing works?
I believe it should be possible to configure SAML auth with Azure AD and use AAD Conditional Access country blocking. It is free for all Office 365 customers.
Apparently I didn’t actually know, lmao. Yea so that doesn’t appear to be relevant.
This isn’t quite correct. You need an O365 Biz Premium, E3, E5, Azure AD Premium P1 or P2 license.