BLOCK IP range EXtended ACL's

So I have and extended ACL's for inbound traffic on my wan interface and I want to block all incoming traffic from a range of IP's. Specifically Spotify, which uses:

I tried the following :
deny ip any
deny ip
deny ip any
It doesn't seem to be working. What am I missing?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
Traffic is initiated internally as users will access the service out towards the internet, my suggestion do the filtering on the internal interface rather than the external interface.
Scott_Smith24Author Commented:
So how do I do that?
ffleismaSenior Network EngineerCommented:
R1(config)#ip access-list extended internal_filter
R1(config-ext-nacl)#deny ip x.x.x.x y.y.y.y
R1(config-ext-nacl)#deny ip x.x.x.x y.y.y.y
R1(config-ext-nacl)#deny ip x.x.x.x y.y.y.y
R1(config-ext-nacl)#permit ip any any
R1(config)#inter X/X
R1(config-if)#description INTERNAL_LAN_INTERFACE
R1(config-if)#ip access-group internal_filter in

Open in new window

where x.x.x.x is the internal network while y.y.y.y is the wildcard mask
Line 5 is important, to prevent everything else being matched by the implicit deny.
Line 10, apply the ACL to your internal interface
Forgot to confirm, just noticed your topic is ASA, is this for a router or an ASA?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Scott_Smith24Author Commented:
So here is what my internal interface looks like
interface GigabitEthernet0/1
 description Internal Network$FW_INSIDE$
 ip address
 ip access-group internal_filter in
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled

And the newly formed access list

ip access-list extended internal_filter
 deny   ip
 deny   ip
 deny   ip
 permit ip any any

and a "sh access list"
Extended IP access list internal_filter
    10 deny ip
    20 deny ip
    30 deny ip
    40 permit ip any any (601589 matches)

But Im  getting nothing it doest seem to be blocking the range of IPs
Now I have 4 vlans but the computer Im testing with is on the network
ffleismaSenior Network EngineerCommented:
It seems that Spotify has a lot of IP ranges[search]=Spotify&commit=Search
Spotify IP rangesOther forums mentioned about some other IP ranges as well that they blocked.

I wouldn't suggest to just go outright and block all the IP ranges without careful consideration first. What I can suggest:
Do a packet capture test first to identify which IP range spotify is connecting to based on your region. Tools like CurrPorts and wireshark can be used to do a packet capture. Based from your "show access list", nobody is hitting those subnet, so most likely you are reaching spotify through other IP range.
Currports tool screenshot
Block the application in the host PC GPO.
Scott_Smith24Author Commented:
That worked I also used little snitch to see exactly what Spotify was using and was able to find the IP range that way.
ffleismaSenior Network EngineerCommented:
Great! Glad you were able to accomplish your task and congratulations!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.