Solved

How do I BLOCK entire IP range as source in CISCO ASA5505 FIREWALL and ACL using SDM

Posted on 2013-06-24
6
542 Views
Last Modified: 2013-07-03
I would like to block, i.e. deny access to an entire IP range as source in CISCO ASA5505 firewall and ACL using Security Device Manager (SDM).

I know how to block any individual IP using SDM, but I do not know how to define an entire range, for example: 100.100.0.0. up to 100.100.255.255.

Please look at the attached .jpeg figure.

Any help on specific steps to make using SDM interface, please?
Example-of-blocking-an-individua.jpg
0
Comment
Question by:Dr.Costas Sachpazis
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
The drop down menu for type (which in the picture is set to HOST/IP address) should have an option for network, subnet, or range. Selecting one of these options (I can't remember how the drop down is worked but it will be close) will then present you with a spot to type in both an IP address and a subnet mask. This will give you the ability to deny/ally and entire range of IP's.
0
 

Author Comment

by:Dr.Costas Sachpazis
Comment Utility
Thank you Rauenpc. I will have a look and I will let you know.
0
 

Author Comment

by:Dr.Costas Sachpazis
Comment Utility
So Rauenpc, as you can see in the attached figure, there is an option for "A Network", in the drop down menu.

Below that, there is a "Wildcard Mask" window, with a drop down menu, indicating specific and concrete addresses.... (as you can see in the attached image).

Therefore, if I want to block an entire range of IPs, for example: 100.100.0.0. up to 100.100.255.255, how in that case should I configure this interface?

Could you explain step by step?
Example-of-blocking-an-individua.jpg
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
Comment Utility
A wildcard mask is essentially the reverse of a subnet mask. There are a lot of neat things you can do with wildcard masks that you can't do with a subnet mask, but most times you won't need to do the "neat" things.

For the most part, if you have a network/subnet, you can take each of the octets and change it to the difference of the subnet octet and 255.

So if you had a subnet of
255.255.255.0, the wildcard would be 0.0.0.255
255.255.252.0, the wildcard would be 0.0.3.255
255.255.0.0, the wildcard would be 0.0.255.255 (this covers your specific example)

to cover 100.100.0.0/16, the wildcard would be 0.0.255.255.
0
 

Author Comment

by:Dr.Costas Sachpazis
Comment Utility
Thank you Rauenpc.

So, is that correct, as shown in the attached figure?

Remember, I want to block the entire range of IPs, from: 100.100.0.0 up to: 100.100.255.255.
Example-of-blocking-a-range-of-I.jpg
0
 

Author Comment

by:Dr.Costas Sachpazis
Comment Utility
Hello Rauenpc.

I am waiting for an answer from you, regarding wether this is correct or not, as shown in the previous attached figure?

Regards
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now