Solved

Blocking country IP Ranges with Cisco 5510 ASDM

Posted on 2012-04-07
26
3,764 Views
Last Modified: 2012-04-21
Hi,
i recently added a Cisco 5510 Firewall in front of my server to block several countries from accessing my site.
Since I am not a pro I was wondering how to do that?!
I have started the ASDM manager and I am able to add rules (as far as I understand).
Now I can take from here:
http://www.countryipblocks.net/country-blocks/cisco-acl-format/
IP Ranges from certain countries, e.g. China.

Question: how to import this whole list of IP Ranges into the firewall to block the outside requests from those without adding every range manually?!
I tried to figure this out but no luck, there must me away though.

Any hints or step-by-step guides are appreciated!

Thanks
0
Comment
Question by:sven2012
  • 11
  • 8
  • 7
26 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37818907
0
 

Author Comment

by:sven2012
ID: 37818955
sorry, where to find ACL? I am with ASDM over the browser, I do not have direct access to the Hardware.

I have though:
Configuration > Firewall > Advanced > ACL Manager
but there is no import on "File" ?!
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37818967
then simple way will be to download the current configuration to your desktop make the changes with the acl of the ip's ( big list) and upload the configuration back..
0
 

Author Comment

by:sven2012
ID: 37818977
you mean with tools --> Save & Backup Configuration?

Is it so difficult??!?

but then stil, where to put the output of the above mentioned link?!
3.0.0.0 0.255.255.255
4.0.0.0 0.255.255.255
6.0.0.0 0.255.255.255
7.0.0.0 0.255.255.255
8.0.0.0 0.255.255.255
9.0.0.0 0.255.255.255 etc.

would be:
access-list outside_access_in extended deny tcp any host 3.0.0.0 0.255.255.255 eq http
etc?

Sorry, maybe a step by step instruction would be more helpfull, I am not a pro (yet) on this.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37818988
you can make the ACL list using the tool ACL Manager. this helps to import the text file
http://download.cnet.com/ACL-Manager/3000-2381_4-10850114.html

Telnet to device and download the configuration using TFTP
or use the ACL Manger to connect to the device and download the configuration

make the required changes (import your ACL file) and check.

ones you download the tool and install. it has very good video tutorial to show how it works.
0
 

Author Comment

by:sven2012
ID: 37819019
I dont understand the point, even in the ACL manager I have to add every single IP line by line, and the programm seems old an buggy.
then I can stay at ASDM manager and add every linem which is not possible since we are talking about 10000 lines....
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37819027
You can download the configuration using TFTP. and then open in normal application like notepad.
add the lines that you want to the file and upload it back.
0
 

Author Comment

by:sven2012
ID: 37819071
ok, so when I have the import list:
223.192.0.0 0.0.255.255
223.193.0.0 0.0.255.255
223.198.0.0 0.0.255.255
223.199.0.0 0.0.255.255
223.201.0.0 0.0.255.255
223.202.0.0 0.0.255.255
223.203.0.0 0.0.255.255
223.208.0.0 0.3.255.255
223.212.0.0 0.0.255.255
223.213.0.0 0.0.255.255

it wil be:
access-list acl_out deny ip 223.213.0.0 0.0.255.255 any
etc.
I have to add before the IP the "access-list acl_out deny ip" and after "any"

also, the subnet seems not to be supported?
here it is 0.0.255.255
is it not usually 255.255.0.0. etc.?!
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37819073
You are right.
you will require to change the subnet mask correctly. may be use some function in excel and make the list.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37819084
The thing here is that this list is using inverse subnets (0.0.0.255 instead of 255.255.255.0) so you'll need to convert those first (or find a list which already has those) because the asa uses 'normal' subnet masks.
After that, add (with some help of a text editor) network-object to each line so you get something like:

network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0

etc.

At the top of this list add:  object-group network countryblock so the result would be:


object-group network countryblock
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0

etc.

You now created an object group that holds all the ranges you want to block. Using the ASDM you can paste that into the ASA using: tools->command line interface and then select multiple lines. After that you can use one ACL entry to apply this list:
access-list outside_access_in extended deny ip object-group countryblock any

If you already have an access list defined, use that name instead of: outside_access_in

Hope this helps (and makes any sense to you ;)

-edit-

You have been posting while I was typing so I see you figured some things out already :)
0
 

Author Comment

by:sven2012
ID: 37819112
now we are getting closer :)
I did a test like this:

access-list outside_access_in extended deny ip object-group countryblock any
object-group network countryblock
network-object 1.0.1.0 255.255.255.0
network-object 1.0.2.0 255.255.254.0
network-object 1.0.8.0 255.255.248.0
network-object 1.0.32.0 255.255.224.0
network-object 1.1.0.0 255.255.255.0
network-object 1.1.2.0 255.255.254.0


it seems like it got imported though I cannot see the rules at the ASDM manager
neither in Configuration > Firewall > Advanced > ACL Manager
nor in Configuration > Firewall > Access Rules
though I can see them in the right of the ASDM manager.

something went wrong obviously?!
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37819116
Pleae see the attached excel. i did the complete stuff so that you can just copy the J colum from the excel to your file.
Surely this should ease your work. :)
Book1.xlsx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37819128
Ok, so you can see the object group (to the right) but not the ACL?

The name of the outside ACL that's already there (if any) is outside_access_in?

I'm more anCLI kind of guy, so could you do the following:

Through  tools->command line interface give the command: wr t
This will give you the ASAs config in text. Cehck if the object group is there (should be) and what access lists you have. There should also be a command access-group that applies the ACL to the interface(s), what does it say?
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:sven2012
ID: 37819156
erniebeek:
the name of the existant ACL is "outside_access_in" and I have another one "test"
but

in the config files it says:

object-group network countryblock
 network-object 1.0.1.0 255.255.255.0
 network-object 1.0.2.0 255.255.254.0
 network-object 1.0.8.0 255.255.248.0
 network-object 1.0.32.0 255.255.224.0
 network-object 1.1.0.0 255.255.255.0
 network-object 1.1.2.0 255.255.254.0


but there is no rule applied?!

Anuroopsundd:
thanks for this! i added this to the running-config.cfg file and trried to import the config but it always says "invalid zip file" :P
I am going crazy here slowly.....

i understand the structure of the sheet, but why you write
access-list outside_access_in extended deny ip object-group
and not
access-list outside_access_in extended deny ip host

must it be no host?
0
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 350 total points
ID: 37819165
my mistake.. was a clumpsy work and forgot what i was doing.. see attached new...
This should work
Book1.xlsx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37819190
Did you first add: access-list outside_access_in extended deny ip object-group countryblock any
and after that created the object group?
Try adding: access-list outside_access_in extended deny ip object-group countryblock any again then.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37819397
@Anuroopsundd: Nice sheet :) I grabbed a copy myself. One question, how did you fill out that reverse mask in four coloms? I assume you didn't do that manually :-~
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37819417
Select complete column B
Click on the data tab at the top
click on text to column
select delimited and click next
selected other and in the box typed .
click next and finish.

this gave us four columns with the mask separately
in H column i used concatenate function to reverse the mask
=CONCATENATE(F2,".",E2,".",D2,".",C2)
0
 

Author Comment

by:sven2012
ID: 37819429
sorry, I am confused now.

I add only this to the config file?!

network-object 1.0.1.0 255.0.0.0
network-object 1.0.2.0 255.1.0.0
network-object 1.0.8.0 255.7.0.0
network-object 1.0.32.0 255.31.0.0
network-object 1.1.0.0 255.0.0.0
network-object 1.1.2.0 255.1.0.0
network-object 1.1.4.0 255.3.0.0
network-object 1.1.8.0 255.7.0.0


and no rule like this?!

access-list outside_access_in extended deny ip object-group 1.0.1.0 255.0.0.0 any

I added the command
access-list outside_access_in extended deny ip object-group countryblock any
again and now at the rules "country" block appears!
so we got it now? :P
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37819434
Yes. so you have the rule now...
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 150 total points
ID: 37819438
You define all the ranges in the object group
object-group network countryblock so it should show like

object-group network countryblock
network-object 1.0.1.0 255.0.0.0
network-object 1.0.2.0 255.1.0.0
network-object 1.0.8.0 255.7.0.0
network-object 1.0.32.0 255.31.0.0
network-object 1.1.0.0 255.0.0.0
network-object 1.1.2.0 255.1.0.0
network-object 1.1.4.0 255.3.0.0
network-object 1.1.8.0 255.7.0.0


After that you only need one ACL entry:
access-list outside_access_in extended deny ip object-group countryblock any and the ASA will do the rest.

If you enter the command: show access-list outside_access_in you will see that that one line is extended to multiple lines.


@Anuroopsundd: Thanks! I think I can make good use of this :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37819448
B.t.w. In ASDM, move that ACL entry up to the top to make sure nothing gets through.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37819450
@erniebeek- Glad this can help you tooo..
0
 

Author Comment

by:sven2012
ID: 37819455
so no I added more lines into the CLI like this:

object-group network countryblock
network-object 1.1.4.0 255.3.0.0
network-object 1.1.8.0 255.7.0.0
network-object 1.1.16.0 255.15.0.0
network-object 1.1.32.0 255.31.0.0
network-object 1.2.0.0 255.1.0.0
network-object 1.2.2.0 255.0.0.0
etc.

to extend the object group "countryblock" but it seems like I added too many of them and it froze.

so basicly if I want to add now IPs for India to be blocked I do the same steps and I could add a new group called "india" instead of "countryblock", correct?

I also found lists of the correct subnet and nor reversed.

thanks guys, today I learned again a lot ;-)

If I add too many rules might there be a possibility over "overloading" the firewall?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37819462
yes, as the list is too big it is better to have different for different countries..
and incase the country have big list you should break it down further.
like China1, China2
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37819658
Normaaly an ASA should be able to cope with 10's of k's of line. Though it might have some impact on performance. And it is a good idea to break it down a bit. It might be easier to manage as wel.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Do you have a computer or other electronic gear that is attached to a rat nest of cables, or alternatively have your cables all bundled nice at neat?  If so then read this post to sidstep common pitfalls. When I was a student at DeVry University,…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now