Link to home
Start Free TrialLog in
Avatar of sven2012
sven2012Flag for Afghanistan

asked on

Blocking country IP Ranges with Cisco 5510 ASDM

Hi,
i recently added a Cisco 5510 Firewall in front of my server to block several countries from accessing my site.
Since I am not a pro I was wondering how to do that?!
I have started the ASDM manager and I am able to add rules (as far as I understand).
Now I can take from here:
http://www.countryipblocks.net/country-blocks/cisco-acl-format/
IP Ranges from certain countries, e.g. China.

Question: how to import this whole list of IP Ranges into the firewall to block the outside requests from those without adding every range manually?!
I tried to figure this out but no luck, there must me away though.

Any hints or step-by-step guides are appreciated!

Thanks
Avatar of Anuroopsundd
Anuroopsundd
Flag of India image

Avatar of sven2012

ASKER

sorry, where to find ACL? I am with ASDM over the browser, I do not have direct access to the Hardware.

I have though:
Configuration > Firewall > Advanced > ACL Manager
but there is no import on "File" ?!
then simple way will be to download the current configuration to your desktop make the changes with the acl of the ip's ( big list) and upload the configuration back..
you mean with tools --> Save & Backup Configuration?

Is it so difficult??!?

but then stil, where to put the output of the above mentioned link?!
3.0.0.0 0.255.255.255
4.0.0.0 0.255.255.255
6.0.0.0 0.255.255.255
7.0.0.0 0.255.255.255
8.0.0.0 0.255.255.255
9.0.0.0 0.255.255.255 etc.

would be:
access-list outside_access_in extended deny tcp any host 3.0.0.0 0.255.255.255 eq http
etc?

Sorry, maybe a step by step instruction would be more helpfull, I am not a pro (yet) on this.
you can make the ACL list using the tool ACL Manager. this helps to import the text file
http://download.cnet.com/ACL-Manager/3000-2381_4-10850114.html

Telnet to device and download the configuration using TFTP
or use the ACL Manger to connect to the device and download the configuration

make the required changes (import your ACL file) and check.

ones you download the tool and install. it has very good video tutorial to show how it works.
I dont understand the point, even in the ACL manager I have to add every single IP line by line, and the programm seems old an buggy.
then I can stay at ASDM manager and add every linem which is not possible since we are talking about 10000 lines....
You can download the configuration using TFTP. and then open in normal application like notepad.
add the lines that you want to the file and upload it back.
ok, so when I have the import list:
223.192.0.0 0.0.255.255
223.193.0.0 0.0.255.255
223.198.0.0 0.0.255.255
223.199.0.0 0.0.255.255
223.201.0.0 0.0.255.255
223.202.0.0 0.0.255.255
223.203.0.0 0.0.255.255
223.208.0.0 0.3.255.255
223.212.0.0 0.0.255.255
223.213.0.0 0.0.255.255

it wil be:
access-list acl_out deny ip 223.213.0.0 0.0.255.255 any
etc.
I have to add before the IP the "access-list acl_out deny ip" and after "any"

also, the subnet seems not to be supported?
here it is 0.0.255.255
is it not usually 255.255.0.0. etc.?!
You are right.
you will require to change the subnet mask correctly. may be use some function in excel and make the list.
Avatar of Ernie Beek
The thing here is that this list is using inverse subnets (0.0.0.255 instead of 255.255.255.0) so you'll need to convert those first (or find a list which already has those) because the asa uses 'normal' subnet masks.
After that, add (with some help of a text editor) network-object to each line so you get something like:

network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0

etc.

At the top of this list add:  object-group network countryblock so the result would be:


object-group network countryblock
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0

etc.

You now created an object group that holds all the ranges you want to block. Using the ASDM you can paste that into the ASA using: tools->command line interface and then select multiple lines. After that you can use one ACL entry to apply this list:
access-list outside_access_in extended deny ip object-group countryblock any

If you already have an access list defined, use that name instead of: outside_access_in

Hope this helps (and makes any sense to you ;)

-edit-

You have been posting while I was typing so I see you figured some things out already :)
now we are getting closer :)
I did a test like this:

access-list outside_access_in extended deny ip object-group countryblock any
object-group network countryblock
network-object 1.0.1.0 255.255.255.0
network-object 1.0.2.0 255.255.254.0
network-object 1.0.8.0 255.255.248.0
network-object 1.0.32.0 255.255.224.0
network-object 1.1.0.0 255.255.255.0
network-object 1.1.2.0 255.255.254.0


it seems like it got imported though I cannot see the rules at the ASDM manager
neither in Configuration > Firewall > Advanced > ACL Manager
nor in Configuration > Firewall > Access Rules
though I can see them in the right of the ASDM manager.

something went wrong obviously?!
Pleae see the attached excel. i did the complete stuff so that you can just copy the J colum from the excel to your file.
Surely this should ease your work. :)
Book1.xlsx
Ok, so you can see the object group (to the right) but not the ACL?

The name of the outside ACL that's already there (if any) is outside_access_in?

I'm more anCLI kind of guy, so could you do the following:

Through  tools->command line interface give the command: wr t
This will give you the ASAs config in text. Cehck if the object group is there (should be) and what access lists you have. There should also be a command access-group that applies the ACL to the interface(s), what does it say?
erniebeek:
the name of the existant ACL is "outside_access_in" and I have another one "test"
but

in the config files it says:

object-group network countryblock
 network-object 1.0.1.0 255.255.255.0
 network-object 1.0.2.0 255.255.254.0
 network-object 1.0.8.0 255.255.248.0
 network-object 1.0.32.0 255.255.224.0
 network-object 1.1.0.0 255.255.255.0
 network-object 1.1.2.0 255.255.254.0


but there is no rule applied?!

Anuroopsundd:
thanks for this! i added this to the running-config.cfg file and trried to import the config but it always says "invalid zip file" :P
I am going crazy here slowly.....

i understand the structure of the sheet, but why you write
access-list outside_access_in extended deny ip object-group
and not
access-list outside_access_in extended deny ip host

must it be no host?
ASKER CERTIFIED SOLUTION
Avatar of Anuroopsundd
Anuroopsundd
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Did you first add: access-list outside_access_in extended deny ip object-group countryblock any
and after that created the object group?
Try adding: access-list outside_access_in extended deny ip object-group countryblock any again then.
@Anuroopsundd: Nice sheet :) I grabbed a copy myself. One question, how did you fill out that reverse mask in four coloms? I assume you didn't do that manually :-~
Select complete column B
Click on the data tab at the top
click on text to column
select delimited and click next
selected other and in the box typed .
click next and finish.

this gave us four columns with the mask separately
in H column i used concatenate function to reverse the mask
=CONCATENATE(F2,".",E2,".",D2,".",C2)
sorry, I am confused now.

I add only this to the config file?!

network-object 1.0.1.0 255.0.0.0
network-object 1.0.2.0 255.1.0.0
network-object 1.0.8.0 255.7.0.0
network-object 1.0.32.0 255.31.0.0
network-object 1.1.0.0 255.0.0.0
network-object 1.1.2.0 255.1.0.0
network-object 1.1.4.0 255.3.0.0
network-object 1.1.8.0 255.7.0.0


and no rule like this?!

access-list outside_access_in extended deny ip object-group 1.0.1.0 255.0.0.0 any

I added the command
access-list outside_access_in extended deny ip object-group countryblock any
again and now at the rules "country" block appears!
so we got it now? :P
Yes. so you have the rule now...
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
B.t.w. In ASDM, move that ACL entry up to the top to make sure nothing gets through.
@erniebeek- Glad this can help you tooo..
so no I added more lines into the CLI like this:

object-group network countryblock
network-object 1.1.4.0 255.3.0.0
network-object 1.1.8.0 255.7.0.0
network-object 1.1.16.0 255.15.0.0
network-object 1.1.32.0 255.31.0.0
network-object 1.2.0.0 255.1.0.0
network-object 1.2.2.0 255.0.0.0
etc.

to extend the object group "countryblock" but it seems like I added too many of them and it froze.

so basicly if I want to add now IPs for India to be blocked I do the same steps and I could add a new group called "india" instead of "countryblock", correct?

I also found lists of the correct subnet and nor reversed.

thanks guys, today I learned again a lot ;-)

If I add too many rules might there be a possibility over "overloading" the firewall?
yes, as the list is too big it is better to have different for different countries..
and incase the country have big list you should break it down further.
like China1, China2
Normaaly an ASA should be able to cope with 10's of k's of line. Though it might have some impact on performance. And it is a good idea to break it down a bit. It might be easier to manage as wel.