Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I BLOCK entire IP range as source in CISCO ASA5505 FIREWALL and ACL using SDM

Posted on 2013-06-24
6
Medium Priority
?
549 Views
Last Modified: 2013-07-03
I would like to block, i.e. deny access to an entire IP range as source in CISCO ASA5505 firewall and ACL using Security Device Manager (SDM).

I know how to block any individual IP using SDM, but I do not know how to define an entire range, for example: 100.100.0.0. up to 100.100.255.255.

Please look at the attached .jpeg figure.

Any help on specific steps to make using SDM interface, please?
Example-of-blocking-an-individua.jpg
0
Comment
Question by:Dr.Costas Sachpazis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39271330
The drop down menu for type (which in the picture is set to HOST/IP address) should have an option for network, subnet, or range. Selecting one of these options (I can't remember how the drop down is worked but it will be close) will then present you with a spot to type in both an IP address and a subnet mask. This will give you the ability to deny/ally and entire range of IP's.
0
 

Author Comment

by:Dr.Costas Sachpazis
ID: 39271354
Thank you Rauenpc. I will have a look and I will let you know.
0
 

Author Comment

by:Dr.Costas Sachpazis
ID: 39271399
So Rauenpc, as you can see in the attached figure, there is an option for "A Network", in the drop down menu.

Below that, there is a "Wildcard Mask" window, with a drop down menu, indicating specific and concrete addresses.... (as you can see in the attached image).

Therefore, if I want to block an entire range of IPs, for example: 100.100.0.0. up to 100.100.255.255, how in that case should I configure this interface?

Could you explain step by step?
Example-of-blocking-an-individua.jpg
0
Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

 
LVL 20

Accepted Solution

by:
rauenpc earned 1500 total points
ID: 39271595
A wildcard mask is essentially the reverse of a subnet mask. There are a lot of neat things you can do with wildcard masks that you can't do with a subnet mask, but most times you won't need to do the "neat" things.

For the most part, if you have a network/subnet, you can take each of the octets and change it to the difference of the subnet octet and 255.

So if you had a subnet of
255.255.255.0, the wildcard would be 0.0.0.255
255.255.252.0, the wildcard would be 0.0.3.255
255.255.0.0, the wildcard would be 0.0.255.255 (this covers your specific example)

to cover 100.100.0.0/16, the wildcard would be 0.0.255.255.
0
 

Author Comment

by:Dr.Costas Sachpazis
ID: 39271726
Thank you Rauenpc.

So, is that correct, as shown in the attached figure?

Remember, I want to block the entire range of IPs, from: 100.100.0.0 up to: 100.100.255.255.
Example-of-blocking-a-range-of-I.jpg
0
 

Author Comment

by:Dr.Costas Sachpazis
ID: 39272112
Hello Rauenpc.

I am waiting for an answer from you, regarding wether this is correct or not, as shown in the previous attached figure?

Regards
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question