How to block a Countries IP range with a Cisco ASA?

Question

To be more specific I have a request from a client to block China's IP range. I know how to do this. I would use the IPs from https://www.countryipblocks.net/e_country_data/CN_netmask.txt and make a ACL. Well if you take a look at that there are 3,412 networks I would have to block.

What I'm really asking is there a way around making a super large ACL? If it was contiguous IP space I could just supernet but that is not the case.

You could do a block on a router by AS Number (smaller list of stuff to block), but not sure about doing it on a firewall... — voretaq7, Jun 16 '11 at 18:41

score 2 · Accepted Answer · answered Jun 16 '11 at 22:37

2

If a gigantic network object group is more to your liking than a gigantic ACL, then I guess that'd be the other option. It's the same level of ugly in the command line and in execution, but it'd make it prettier in ASDM, I suppose.

Be very careful of blanket blocks of countries; I've seen it cause some interesting issues. ("Why can't I get to Windows Update?" "Oh, you're hitting an Indonesian server, and someone blocked all of Asia")

answered Jun 16 '11 at 22:37

Shane Madden

112,982
12
174
248

yeah if it would happen it would have been added as big ol' network object. – evolvd Jun 16 '11 at 22:47
Guess there isn't another way to do this. Thanks for the input! – evolvd Jun 17 '11 at 12:05

score 2 · Answer 2 · answered Oct 07 '14 at 13:55

I've created a script where all you have to do is choose an authority and it'll give you the configuration to drop into the ASA. It's incredibly accurate.

regional-asa

You can block or allow a specific region if you want. I'll be updating it soon to do specific countries but now it does authorities like ARIN, RIPE, APNIC, etc.

How to block a Countries IP range with a Cisco ASA?

2 Answers2