[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4383
  • Last Modified:

Blocking country IP Ranges with Cisco 5510 ASDM

Hi,
i recently added a Cisco 5510 Firewall in front of my server to block several countries from accessing my site.
Since I am not a pro I was wondering how to do that?!
I have started the ASDM manager and I am able to add rules (as far as I understand).
Now I can take from here:
http://www.countryipblocks.net/country-blocks/cisco-acl-format/
IP Ranges from certain countries, e.g. China.

Question: how to import this whole list of IP Ranges into the firewall to block the outside requests from those without adding every range manually?!
I tried to figure this out but no luck, there must me away though.

Any hints or step-by-step guides are appreciated!

Thanks
0
sven2012
Asked:
sven2012
  • 11
  • 8
  • 7
2 Solutions
 
sven2012Author Commented:
sorry, where to find ACL? I am with ASDM over the browser, I do not have direct access to the Hardware.

I have though:
Configuration > Firewall > Advanced > ACL Manager
but there is no import on "File" ?!
0
 
AnuroopsunddCommented:
then simple way will be to download the current configuration to your desktop make the changes with the acl of the ip's ( big list) and upload the configuration back..
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
sven2012Author Commented:
you mean with tools --> Save & Backup Configuration?

Is it so difficult??!?

but then stil, where to put the output of the above mentioned link?!
3.0.0.0 0.255.255.255
4.0.0.0 0.255.255.255
6.0.0.0 0.255.255.255
7.0.0.0 0.255.255.255
8.0.0.0 0.255.255.255
9.0.0.0 0.255.255.255 etc.

would be:
access-list outside_access_in extended deny tcp any host 3.0.0.0 0.255.255.255 eq http
etc?

Sorry, maybe a step by step instruction would be more helpfull, I am not a pro (yet) on this.
0
 
AnuroopsunddCommented:
you can make the ACL list using the tool ACL Manager. this helps to import the text file
http://download.cnet.com/ACL-Manager/3000-2381_4-10850114.html

Telnet to device and download the configuration using TFTP
or use the ACL Manger to connect to the device and download the configuration

make the required changes (import your ACL file) and check.

ones you download the tool and install. it has very good video tutorial to show how it works.
0
 
sven2012Author Commented:
I dont understand the point, even in the ACL manager I have to add every single IP line by line, and the programm seems old an buggy.
then I can stay at ASDM manager and add every linem which is not possible since we are talking about 10000 lines....
0
 
AnuroopsunddCommented:
You can download the configuration using TFTP. and then open in normal application like notepad.
add the lines that you want to the file and upload it back.
0
 
sven2012Author Commented:
ok, so when I have the import list:
223.192.0.0 0.0.255.255
223.193.0.0 0.0.255.255
223.198.0.0 0.0.255.255
223.199.0.0 0.0.255.255
223.201.0.0 0.0.255.255
223.202.0.0 0.0.255.255
223.203.0.0 0.0.255.255
223.208.0.0 0.3.255.255
223.212.0.0 0.0.255.255
223.213.0.0 0.0.255.255

it wil be:
access-list acl_out deny ip 223.213.0.0 0.0.255.255 any
etc.
I have to add before the IP the "access-list acl_out deny ip" and after "any"

also, the subnet seems not to be supported?
here it is 0.0.255.255
is it not usually 255.255.0.0. etc.?!
0
 
AnuroopsunddCommented:
You are right.
you will require to change the subnet mask correctly. may be use some function in excel and make the list.
0
 
Ernie BeekExpertCommented:
The thing here is that this list is using inverse subnets (0.0.0.255 instead of 255.255.255.0) so you'll need to convert those first (or find a list which already has those) because the asa uses 'normal' subnet masks.
After that, add (with some help of a text editor) network-object to each line so you get something like:

network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0

etc.

At the top of this list add:  object-group network countryblock so the result would be:


object-group network countryblock
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0

etc.

You now created an object group that holds all the ranges you want to block. Using the ASDM you can paste that into the ASA using: tools->command line interface and then select multiple lines. After that you can use one ACL entry to apply this list:
access-list outside_access_in extended deny ip object-group countryblock any

If you already have an access list defined, use that name instead of: outside_access_in

Hope this helps (and makes any sense to you ;)

-edit-

You have been posting while I was typing so I see you figured some things out already :)
0
 
sven2012Author Commented:
now we are getting closer :)
I did a test like this:

access-list outside_access_in extended deny ip object-group countryblock any
object-group network countryblock
network-object 1.0.1.0 255.255.255.0
network-object 1.0.2.0 255.255.254.0
network-object 1.0.8.0 255.255.248.0
network-object 1.0.32.0 255.255.224.0
network-object 1.1.0.0 255.255.255.0
network-object 1.1.2.0 255.255.254.0


it seems like it got imported though I cannot see the rules at the ASDM manager
neither in Configuration > Firewall > Advanced > ACL Manager
nor in Configuration > Firewall > Access Rules
though I can see them in the right of the ASDM manager.

something went wrong obviously?!
0
 
AnuroopsunddCommented:
Pleae see the attached excel. i did the complete stuff so that you can just copy the J colum from the excel to your file.
Surely this should ease your work. :)
Book1.xlsx
0
 
Ernie BeekExpertCommented:
Ok, so you can see the object group (to the right) but not the ACL?

The name of the outside ACL that's already there (if any) is outside_access_in?

I'm more anCLI kind of guy, so could you do the following:

Through  tools->command line interface give the command: wr t
This will give you the ASAs config in text. Cehck if the object group is there (should be) and what access lists you have. There should also be a command access-group that applies the ACL to the interface(s), what does it say?
0
 
sven2012Author Commented:
erniebeek:
the name of the existant ACL is "outside_access_in" and I have another one "test"
but

in the config files it says:

object-group network countryblock
 network-object 1.0.1.0 255.255.255.0
 network-object 1.0.2.0 255.255.254.0
 network-object 1.0.8.0 255.255.248.0
 network-object 1.0.32.0 255.255.224.0
 network-object 1.1.0.0 255.255.255.0
 network-object 1.1.2.0 255.255.254.0


but there is no rule applied?!

Anuroopsundd:
thanks for this! i added this to the running-config.cfg file and trried to import the config but it always says "invalid zip file" :P
I am going crazy here slowly.....

i understand the structure of the sheet, but why you write
access-list outside_access_in extended deny ip object-group
and not
access-list outside_access_in extended deny ip host

must it be no host?
0
 
AnuroopsunddCommented:
my mistake.. was a clumpsy work and forgot what i was doing.. see attached new...
This should work
Book1.xlsx
0
 
Ernie BeekExpertCommented:
Did you first add: access-list outside_access_in extended deny ip object-group countryblock any
and after that created the object group?
Try adding: access-list outside_access_in extended deny ip object-group countryblock any again then.
0
 
Ernie BeekExpertCommented:
@Anuroopsundd: Nice sheet :) I grabbed a copy myself. One question, how did you fill out that reverse mask in four coloms? I assume you didn't do that manually :-~
0
 
AnuroopsunddCommented:
Select complete column B
Click on the data tab at the top
click on text to column
select delimited and click next
selected other and in the box typed .
click next and finish.

this gave us four columns with the mask separately
in H column i used concatenate function to reverse the mask
=CONCATENATE(F2,".",E2,".",D2,".",C2)
0
 
sven2012Author Commented:
sorry, I am confused now.

I add only this to the config file?!

network-object 1.0.1.0 255.0.0.0
network-object 1.0.2.0 255.1.0.0
network-object 1.0.8.0 255.7.0.0
network-object 1.0.32.0 255.31.0.0
network-object 1.1.0.0 255.0.0.0
network-object 1.1.2.0 255.1.0.0
network-object 1.1.4.0 255.3.0.0
network-object 1.1.8.0 255.7.0.0


and no rule like this?!

access-list outside_access_in extended deny ip object-group 1.0.1.0 255.0.0.0 any

I added the command
access-list outside_access_in extended deny ip object-group countryblock any
again and now at the rules "country" block appears!
so we got it now? :P
0
 
AnuroopsunddCommented:
Yes. so you have the rule now...
0
 
Ernie BeekExpertCommented:
You define all the ranges in the object group
object-group network countryblock so it should show like

object-group network countryblock
network-object 1.0.1.0 255.0.0.0
network-object 1.0.2.0 255.1.0.0
network-object 1.0.8.0 255.7.0.0
network-object 1.0.32.0 255.31.0.0
network-object 1.1.0.0 255.0.0.0
network-object 1.1.2.0 255.1.0.0
network-object 1.1.4.0 255.3.0.0
network-object 1.1.8.0 255.7.0.0


After that you only need one ACL entry:
access-list outside_access_in extended deny ip object-group countryblock any and the ASA will do the rest.

If you enter the command: show access-list outside_access_in you will see that that one line is extended to multiple lines.


@Anuroopsundd: Thanks! I think I can make good use of this :)
0
 
Ernie BeekExpertCommented:
B.t.w. In ASDM, move that ACL entry up to the top to make sure nothing gets through.
0
 
AnuroopsunddCommented:
@erniebeek- Glad this can help you tooo..
0
 
sven2012Author Commented:
so no I added more lines into the CLI like this:

object-group network countryblock
network-object 1.1.4.0 255.3.0.0
network-object 1.1.8.0 255.7.0.0
network-object 1.1.16.0 255.15.0.0
network-object 1.1.32.0 255.31.0.0
network-object 1.2.0.0 255.1.0.0
network-object 1.2.2.0 255.0.0.0
etc.

to extend the object group "countryblock" but it seems like I added too many of them and it froze.

so basicly if I want to add now IPs for India to be blocked I do the same steps and I could add a new group called "india" instead of "countryblock", correct?

I also found lists of the correct subnet and nor reversed.

thanks guys, today I learned again a lot ;-)

If I add too many rules might there be a possibility over "overloading" the firewall?
0
 
AnuroopsunddCommented:
yes, as the list is too big it is better to have different for different countries..
and incase the country have big list you should break it down further.
like China1, China2
0
 
Ernie BeekExpertCommented:
Normaaly an ASA should be able to cope with 10's of k's of line. Though it might have some impact on performance. And it is a good idea to break it down a bit. It might be easier to manage as wel.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 11
  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now