ASA 5510 bulk acl blocking

Is there a way to block multiple IP subnets on the asa 5510. Trying to block all traffic from china and dont want to enter all those subnets into the ACL one at a time. Any suggestions would be nice
LVL 1
rcooper83Asked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
You can create an object-group and apply the object-group to the acl.
object-group network CHINA
 network-object 123.45.67.0 255.255.255.0
 network-object 122.34.56.0 255.255.255.0
 network-object 45.67.0.0 255.255.0.0

You can add/subtract as many networks to the object-group as you want, and never have to change the simple one-line of the ACL
access-list outside_access_in deny ip object-group CHINA any
0
 
harbor235Commented:



Or you can aggregate IP blocks to block numerous smaller blocks

so for instance you want to block 8 /24s  10.1.0.0/24, 10.1.32.0/24,10.1.64/24, 10.1.96/24,10.1.128/24,10.1.160/24,10.1.64/24,10.1.192/24

or you could just block;

10.1.0.0/21

So you can aggregate smaller IP blocks into supernets if the blocks are aggregatable, they need to be contigous blocks to do so.

harbor235 ;}

harbor235 ;}
0
 
rcooper83Author Commented:
answer was one way to solve problem but not what I was looking for
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.