BLOCK IP range EXtended ACL's

So I have and extended ACL's for inbound traffic on my wan interface and I want to block all incoming traffic from a range of IP's. Specifically Spotify, which uses:
78.31.8.0/21
193.182.8.0/21
95.215.60.0/22

I tried the following :
deny ip 78.31.8.0 0.0.7.255 any
deny ip 193.182.8.0 0.0.7.255
deny ip 95.215.60.0 0.0.3.255 any
It doesn't seem to be working. What am I missing?
LVL 1
Scott_Smith24Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
Traffic is initiated internally as users will access the service out towards the internet, my suggestion do the filtering on the internal interface rather than the external interface.
0
Scott_Smith24Author Commented:
So how do I do that?
0
ffleismaSenior Network EngineerCommented:
R1(config)#ip access-list extended internal_filter
R1(config-ext-nacl)#deny ip x.x.x.x y.y.y.y 78.31.8.0 0.0.7.255
R1(config-ext-nacl)#deny ip x.x.x.x y.y.y.y 193.182.8.0 0.0.7.255
R1(config-ext-nacl)#deny ip x.x.x.x y.y.y.y 95.215.60.0 0.0.3.255
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#
R1(config)#inter X/X
R1(config-if)#description INTERNAL_LAN_INTERFACE
R1(config-if)#ip access-group internal_filter in

Open in new window

where x.x.x.x is the internal network while y.y.y.y is the wildcard mask
Line 5 is important, to prevent everything else being matched by the implicit deny.
Line 10, apply the ACL to your internal interface
Forgot to confirm, just noticed your topic is ASA, is this for a router or an ASA?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Scott_Smith24Author Commented:
So here is what my internal interface looks like
interface GigabitEthernet0/1
 description Internal Network$FW_INSIDE$
 ip address 10.110.110.1 255.255.255.0
 ip access-group internal_filter in
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled

And the newly formed access list

ip access-list extended internal_filter
 deny   ip 10.110.110.0 0.0.0.255 78.31.8.0 0.0.7.255
 deny   ip 10.110.110.0 0.0.0.255 193.182.8.0 0.0.7.255
 deny   ip 10.110.110.0 0.0.0.255 95.215.60.0 0.0.3.255
 permit ip any any

and a "sh access list"
Extended IP access list internal_filter
    10 deny ip 10.110.110.0 0.0.0.255 78.31.8.0 0.0.7.255
    20 deny ip 10.110.110.0 0.0.0.255 193.182.8.0 0.0.7.255
    30 deny ip 10.110.110.0 0.0.0.255 95.215.60.0 0.0.3.255
    40 permit ip any any (601589 matches)

But Im  getting nothing it doest seem to be blocking the range of IPs
Now I have 4 vlans but the computer Im testing with is on the 10.110.110.0 network
0
ffleismaSenior Network EngineerCommented:
It seems that Spotify has a lot of IP ranges

http://bgp.he.net/search?search[search]=Spotify&commit=Search
Spotify IP rangesOther forums mentioned about some other IP ranges as well that they blocked.
193.235.232.0/22
194.68.28.0/22
http://serverfault.com/questions/358735/how-can-i-block-spotify-on-our-company-network
https://support.cipafilter.com/index.php?/Knowledgebase/Article/View/146/27/spotify---how-to-block

I wouldn't suggest to just go outright and block all the IP ranges without careful consideration first. What I can suggest:
Do a packet capture test first to identify which IP range spotify is connecting to based on your region. Tools like CurrPorts and wireshark can be used to do a packet capture. Based from your "show access list", nobody is hitting those subnet, so most likely you are reaching spotify through other IP range.
Currports tool screenshothttp://www.nirsoft.net/utils/cports.html
Block the application in the host PC GPO.
0
Scott_Smith24Author Commented:
That worked I also used little snitch to see exactly what Spotify was using and was able to find the IP range that way.
0
ffleismaSenior Network EngineerCommented:
Great! Glad you were able to accomplish your task and congratulations!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.