Countries restriction on Ipsec remote acess

Hi Samps,

Thank you for reaching out to the Community! 

Create a black hole DNAT rule with required(blocked) source countries as "Original Source" and UDP 500/4500 in "Original Services." 

Check out the following document for more information: 

• Create a black hole DNAT rule

The same concept applies to firmware v17.5; for the local services, you'd need to create a black hole DNAT rule and forward the traffic from specific countries to a dummy internal host(a host that does not exist).

Thanks,

Thanks Harsh. It's working fine.

Is there any way to block all contries except ones i select?

Thanks,

Hi Samps,

Apologies for the confusion. You would need to select the countries you want to block connection with the black hole DNAT rule. Unfortunately, it's not possible to apply a country blocking rule for local services. The workaround is to forward traffic from these countries to a non-existing host. 

Thanks,

Hi Harsh, I will process like this.

One last question, sorry for my dummy question, but is it safe to allow traffic from outside to go inside network even if destination not exist?

The only dumb question is the question that is not asked :-)

The other side will just receive an error, time out as nothing happens doesn't respond. Make sure it points to a non existing IP target. 

The only dumb question is the question that is not asked :-)

The other side will just receive an error, time out as nothing happens doesn't respond. Make sure it points to a non existing IP target. 

Thanks Fred, Thanks Harsh.