Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to block all IP addresses not from the USA>

Posted on 2010-08-17
Medium Priority
Last Modified: 2013-11-16
I have  been task with blocking all IP  addresses not from the USA from our system.

I am looking for suggestions on the easiest way to set up our ASA5510s.
Question by:jimmylew52
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

uscshaggy earned 600 total points
ID: 33456387
There isn't a standard block of addresses that will always indicate a US-based device/computer.  There will be hundreds of IP ranges, that are pretty constantly changing.  In order to block non-US IPs effectively, you really need to use geolocation software or service on your Web Server.  See this link for an example:

Accepted Solution

drcheap earned 1000 total points
ID: 33456507
This is true, it is not easy to dierctly and accurately correlate geographical location to IP address, much less large blocks of them.

Aesources which may help a lot though:

More specifically:

Assisted Solution

Elysithea earned 400 total points
ID: 33484506
I would love to know the reason for doing this... but anyway

I guess if you need to do it on your routers it would be easier to block all and just allow the usa blocks - at least this would minimise the amount of address blocks you are worried about.

It might be worth a call to your isp as it could be a lot easier for them to do this as they will probably have a gateway for international traffic where they could deny access for your account. I am not sure how this works exactly but the alternative of geolocation or managing address blocks is going to be difficult to say the least - probably worth a try.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Author Comment

ID: 33484740
Thanks to all of you I have settled on an acceptable solution. I will be blocking the majority of the IP blocks from asia and Europe. So far it has been helpful in blocking the attacks coming from there.

Reason - a couple of our servers, that have been attacked, have problems during the attacks and require us to monitor they constantly to keep them operational. The attacker does not gain entry to the server but it, I believe it is a bot, stalls one of the services during the attack. We are not able to limit the IP that have access because they are constantly changing. The IPs are  all USA IPs.

Expert Comment

ID: 33486052
ok if thats the problem there might be a better solution to this.

Without going realy deep you could put a UTM protecting the servers that will block most or probably all of this type of activity.

We use sonicwall for this type of situation. probably a small device will do eg TZ210 or nsa240. You can configure these in transparent mode so they will sit there inspecting all the traffic in and out of the servers and blocking the attacks, viruses, spyware and intrusion attemps etc. As the unit is in transparent mode it will not affect the ip configuration in any way and will just provide an additional line of defense. We use sonicwall because they inspect (DPI) traffic on the fly and there are no proxies involved, they have a multicore architecture. You can also get a lot of info off the device as it has a lot of cool features including a packet capture facility which is very useful for finding out what is going on.
Another thing is that you can create address objects using FQDN which means you dont have to track the ip´s assotiated with the domain name. I could go on but I guess you get the idea.

I am sure there are other solutions out there and this is not a sales attempt.

Hope this helps

Expert Comment

ID: 34443866
I'm researching the same thing/issue.

I'd just prefer to allow ONLY US IP assignments to my network.

While I recognize all of the caveats, (i.e. they can use proxies, US providers via dial-ups, etc...) that will be "a way" to get around my rules, BUT restricting to USA (only!) IP assignments I know will slow down a good deal of the crap that comes in, mostly from outside the US.

Too, assisting with forensics for/from IPs that originate from the US-Providers will be just that much easier to deal with.

Lastly, I know IPs change all over the place, but it's not likely what was/is an IP originating from one country today will all of a sudden be given to another.

Restricting all traffic BUT USA IP assignments will/can help a good chunk of our hassles go away. On that note, I realize a good deal of it/them will/can probably still happen, but I'm banking there will not be as much.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question