Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1526
  • Last Modified:

ASA 5510 bulk acl blocking

Is there a way to block multiple IP subnets on the asa 5510. Trying to block all traffic from china and dont want to enter all those subnets into the ACL one at a time. Any suggestions would be nice
0
rcooper83
Asked:
rcooper83
1 Solution
 
lrmooreCommented:
You can create an object-group and apply the object-group to the acl.
object-group network CHINA
 network-object 123.45.67.0 255.255.255.0
 network-object 122.34.56.0 255.255.255.0
 network-object 45.67.0.0 255.255.0.0

You can add/subtract as many networks to the object-group as you want, and never have to change the simple one-line of the ACL
access-list outside_access_in deny ip object-group CHINA any
0
 
harbor235Commented:



Or you can aggregate IP blocks to block numerous smaller blocks

so for instance you want to block 8 /24s  10.1.0.0/24, 10.1.32.0/24,10.1.64/24, 10.1.96/24,10.1.128/24,10.1.160/24,10.1.64/24,10.1.192/24

or you could just block;

10.1.0.0/21

So you can aggregate smaller IP blocks into supernets if the blocks are aggregatable, they need to be contigous blocks to do so.

harbor235 ;}

harbor235 ;}
0
 
rcooper83Author Commented:
answer was one way to solve problem but not what I was looking for
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now