netcmh
asked on
Cisco ASA 5520 Reverse GeoIP block
Hello,
I've been fairly successful in doing the regular geoip block process on the ASA. I've been compiling the ranges of IPs from malicious/unstable/non-all ied/etc. countries, and blocking their access at the perimeter. Of course, it isn't a fool proof solution knowing that the determined entity will be able to pivot off of trusted but compromised country ranges. But, pairing it with BOGONS, TOR exit points and a few others, we've seen a drop in the intrusion scale.
I did this as the drain on the resources on the ASA was negligible. But, as the list of countries keeps rising, perhaps the better approach would be to allow only trusted countries access to our public facing services.
Does anyone have a working process or solution for allowing only traffic from the States and Canada access through the ASA? Examples would be appreciated.
Thank you.
I've been fairly successful in doing the regular geoip block process on the ASA. I've been compiling the ranges of IPs from malicious/unstable/non-all
I did this as the drain on the resources on the ASA was negligible. But, as the list of countries keeps rising, perhaps the better approach would be to allow only trusted countries access to our public facing services.
Does anyone have a working process or solution for allowing only traffic from the States and Canada access through the ASA? Examples would be appreciated.
Thank you.
How do you do your geo blocking? I have an access list that I have inherited and refined that basically blocks everything not in the United States.
ASKER
That's what I'm looking for. Right now, I pick and choose volatile areas, those known for their lax cyber policies, and known malicious-intent countries; and create their network objects and reference that object in my ACL. Needless to say, the object gets huge and is becoming almost unmanageable for me with my approx. 34 countries list. Appending all the other countries to that group is not what I hope to do.
I would really like to see what others are doing different.
I would really like to see what others are doing different.
ASKER
kevinhsieh: you've kinda left me hanging there :)
Here's what I have for the stuff that is blocked for ingress traffic. Note that I also do egress blocking, and that this list will block basically all of Canada, as well as other properties such as Facebook and Akamai that have IP addresses originally assigned outside of the United States.
object-group network INTERNET_INTERNATIONAL_NET WORKS
network-object 0.0.0.0 255.0.0.0
network-object 1.0.0.0 255.0.0.0
network-object 2.0.0.0 255.0.0.0
network-object 27.0.0.0 255.0.0.0
network-object 31.0.0.0 255.0.0.0
network-object 36.0.0.0 255.0.0.0
network-object 37.0.0.0 255.0.0.0
network-object 39.0.0.0 255.0.0.0
network-object 42.0.0.0 255.0.0.0
network-object 5.0.0.0 255.0.0.0
network-object 57.0.0.0 255.0.0.0
network-object 58.0.0.0 255.0.0.0
network-object 59.0.0.0 255.0.0.0
network-object 60.0.0.0 255.0.0.0
network-object 61.0.0.0 255.0.0.0
network-object 62.0.0.0 255.0.0.0
network-object 77.0.0.0 255.0.0.0
network-object 78.0.0.0 255.0.0.0
network-object 79.0.0.0 255.0.0.0
network-object 80.0.0.0 255.0.0.0
network-object 81.0.0.0 255.0.0.0
network-object 82.0.0.0 255.0.0.0
network-object 83.0.0.0 255.0.0.0
network-object 84.0.0.0 255.0.0.0
network-object 85.0.0.0 255.0.0.0
network-object 86.0.0.0 255.0.0.0
network-object 87.0.0.0 255.0.0.0
network-object 88.0.0.0 255.0.0.0
network-object 89.0.0.0 255.0.0.0
network-object 90.0.0.0 255.0.0.0
network-object 91.0.0.0 255.0.0.0
network-object 92.0.0.0 255.0.0.0
network-object 93.0.0.0 255.0.0.0
network-object 94.0.0.0 255.0.0.0
network-object 95.0.0.0 255.0.0.0
network-object 101.0.0.0 255.0.0.0
network-object 102.0.0.0 255.0.0.0
network-object 103.0.0.0 255.0.0.0
network-object 105.0.0.0 255.0.0.0
network-object 106.0.0.0 255.0.0.0
network-object 109.0.0.0 255.0.0.0
network-object 110.0.0.0 255.0.0.0
network-object 111.0.0.0 255.0.0.0
network-object 112.0.0.0 255.0.0.0
network-object 113.0.0.0 255.0.0.0
network-object 114.0.0.0 255.0.0.0
network-object 115.0.0.0 255.0.0.0
network-object 116.0.0.0 255.0.0.0
network-object 117.0.0.0 255.0.0.0
network-object 118.0.0.0 255.0.0.0
network-object 119.0.0.0 255.0.0.0
network-object 120.0.0.0 255.0.0.0
network-object 121.0.0.0 255.0.0.0
network-object 122.0.0.0 255.0.0.0
network-object 123.0.0.0 255.0.0.0
network-object 124.0.0.0 255.0.0.0
network-object 125.0.0.0 255.0.0.0
network-object 126.0.0.0 255.0.0.0
network-object 175.0.0.0 255.0.0.0
network-object 176.0.0.0 255.0.0.0
network-object 177.0.0.0 255.0.0.0
network-object 178.0.0.0 255.0.0.0
network-object 179.0.0.0 255.0.0.0
network-object 180.0.0.0 255.0.0.0
network-object 181.0.0.0 255.0.0.0
network-object 182.0.0.0 255.0.0.0
network-object 183.0.0.0 255.0.0.0
network-object 185.0.0.0 255.0.0.0
network-object 186.0.0.0 255.0.0.0
network-object 187.0.0.0 255.0.0.0
network-object 189.0.0.0 255.0.0.0
network-object 190.0.0.0 255.0.0.0
network-object 193.0.0.0 255.0.0.0
network-object 194.0.0.0 255.0.0.0
network-object 195.0.0.0 255.0.0.0
network-object 197.0.0.0 255.0.0.0
network-object 200.0.0.0 255.0.0.0
network-object 201.0.0.0 255.0.0.0
network-object 202.0.0.0 255.0.0.0
network-object 210.0.0.0 255.0.0.0
network-object 211.0.0.0 255.0.0.0
network-object 212.0.0.0 255.0.0.0
network-object 213.0.0.0 255.0.0.0
network-object 217.0.0.0 255.0.0.0
network-object 218.0.0.0 255.0.0.0
network-object 219.0.0.0 255.0.0.0
network-object 220.0.0.0 255.0.0.0
network-object 221.0.0.0 255.0.0.0
network-object 222.0.0.0 255.0.0.0
network-object 223.0.0.0 255.0.0.0
network-object 224.0.0.0 224.0.0.0
network-object 171.0.0.0 255.192.0.0
network-object 171.128.0.0 255.128.0.0
network-object 171.68.0.0 255.252.0.0
network-object 171.72.0.0 255.248.0.0
network-object 171.80.0.0 255.240.0.0
network-object 171.96.0.0 255.224.0.0
network-object object INTERNATIONAL_104.128.128. 0-20
network-object object INTERNATIONAL_AllSTREAM_ON TARIO_CA
network-object object INTERNATIONAL_VANCOUVER_IS LAND_UNIVE RSITY
network-object object INTERNATIONAL_WIZARD-TOWER -TECHNO-SE RVICES_VAN COUVER_CA
network-object object IANA-RESERVED-100.64.0.0
network-object object INTERNATIONAL_EASTLINK.CA
network-object object 203.0.0.0
object network INTERNATIONAL_AllSTREAM_ON TARIO_CA
subnet 104.36.8.0 255.255.248.0
description Allstream, Ontario, CA
object network INTERNATIONAL_104.128.128. 0-20
subnet 104.128.128.0 255.255.240.0
description Central Asia
object network INTERNATIONAL_WIZARD-TOWER -TECHNO-SE RVICES_VAN COUVER_CA
subnet 104.128.144.0 255.255.240.0
description Wizard Tower Techno Services, Vancouver CA
object network INTERNATIONAL_VANCOUVER_IS LAND_UNIVE RSITY
subnet 104.128.240.0 255.255.240.0
description Vancouver Island University
object network INTERNATIONAL_EASTLINK.CA
subnet 10.42.240.0 255.255.240.0
description EASTLINK.CA
object network 203.0.0.0
subnet 203.0.0.0 255.0.0.0
description APNIC networks
object-group network INTERNET_INTERNATIONAL_NET
network-object 0.0.0.0 255.0.0.0
network-object 1.0.0.0 255.0.0.0
network-object 2.0.0.0 255.0.0.0
network-object 27.0.0.0 255.0.0.0
network-object 31.0.0.0 255.0.0.0
network-object 36.0.0.0 255.0.0.0
network-object 37.0.0.0 255.0.0.0
network-object 39.0.0.0 255.0.0.0
network-object 42.0.0.0 255.0.0.0
network-object 5.0.0.0 255.0.0.0
network-object 57.0.0.0 255.0.0.0
network-object 58.0.0.0 255.0.0.0
network-object 59.0.0.0 255.0.0.0
network-object 60.0.0.0 255.0.0.0
network-object 61.0.0.0 255.0.0.0
network-object 62.0.0.0 255.0.0.0
network-object 77.0.0.0 255.0.0.0
network-object 78.0.0.0 255.0.0.0
network-object 79.0.0.0 255.0.0.0
network-object 80.0.0.0 255.0.0.0
network-object 81.0.0.0 255.0.0.0
network-object 82.0.0.0 255.0.0.0
network-object 83.0.0.0 255.0.0.0
network-object 84.0.0.0 255.0.0.0
network-object 85.0.0.0 255.0.0.0
network-object 86.0.0.0 255.0.0.0
network-object 87.0.0.0 255.0.0.0
network-object 88.0.0.0 255.0.0.0
network-object 89.0.0.0 255.0.0.0
network-object 90.0.0.0 255.0.0.0
network-object 91.0.0.0 255.0.0.0
network-object 92.0.0.0 255.0.0.0
network-object 93.0.0.0 255.0.0.0
network-object 94.0.0.0 255.0.0.0
network-object 95.0.0.0 255.0.0.0
network-object 101.0.0.0 255.0.0.0
network-object 102.0.0.0 255.0.0.0
network-object 103.0.0.0 255.0.0.0
network-object 105.0.0.0 255.0.0.0
network-object 106.0.0.0 255.0.0.0
network-object 109.0.0.0 255.0.0.0
network-object 110.0.0.0 255.0.0.0
network-object 111.0.0.0 255.0.0.0
network-object 112.0.0.0 255.0.0.0
network-object 113.0.0.0 255.0.0.0
network-object 114.0.0.0 255.0.0.0
network-object 115.0.0.0 255.0.0.0
network-object 116.0.0.0 255.0.0.0
network-object 117.0.0.0 255.0.0.0
network-object 118.0.0.0 255.0.0.0
network-object 119.0.0.0 255.0.0.0
network-object 120.0.0.0 255.0.0.0
network-object 121.0.0.0 255.0.0.0
network-object 122.0.0.0 255.0.0.0
network-object 123.0.0.0 255.0.0.0
network-object 124.0.0.0 255.0.0.0
network-object 125.0.0.0 255.0.0.0
network-object 126.0.0.0 255.0.0.0
network-object 175.0.0.0 255.0.0.0
network-object 176.0.0.0 255.0.0.0
network-object 177.0.0.0 255.0.0.0
network-object 178.0.0.0 255.0.0.0
network-object 179.0.0.0 255.0.0.0
network-object 180.0.0.0 255.0.0.0
network-object 181.0.0.0 255.0.0.0
network-object 182.0.0.0 255.0.0.0
network-object 183.0.0.0 255.0.0.0
network-object 185.0.0.0 255.0.0.0
network-object 186.0.0.0 255.0.0.0
network-object 187.0.0.0 255.0.0.0
network-object 189.0.0.0 255.0.0.0
network-object 190.0.0.0 255.0.0.0
network-object 193.0.0.0 255.0.0.0
network-object 194.0.0.0 255.0.0.0
network-object 195.0.0.0 255.0.0.0
network-object 197.0.0.0 255.0.0.0
network-object 200.0.0.0 255.0.0.0
network-object 201.0.0.0 255.0.0.0
network-object 202.0.0.0 255.0.0.0
network-object 210.0.0.0 255.0.0.0
network-object 211.0.0.0 255.0.0.0
network-object 212.0.0.0 255.0.0.0
network-object 213.0.0.0 255.0.0.0
network-object 217.0.0.0 255.0.0.0
network-object 218.0.0.0 255.0.0.0
network-object 219.0.0.0 255.0.0.0
network-object 220.0.0.0 255.0.0.0
network-object 221.0.0.0 255.0.0.0
network-object 222.0.0.0 255.0.0.0
network-object 223.0.0.0 255.0.0.0
network-object 224.0.0.0 224.0.0.0
network-object 171.0.0.0 255.192.0.0
network-object 171.128.0.0 255.128.0.0
network-object 171.68.0.0 255.252.0.0
network-object 171.72.0.0 255.248.0.0
network-object 171.80.0.0 255.240.0.0
network-object 171.96.0.0 255.224.0.0
network-object object INTERNATIONAL_104.128.128.
network-object object INTERNATIONAL_AllSTREAM_ON
network-object object INTERNATIONAL_VANCOUVER_IS
network-object object INTERNATIONAL_WIZARD-TOWER
network-object object IANA-RESERVED-100.64.0.0
network-object object INTERNATIONAL_EASTLINK.CA
network-object object 203.0.0.0
object network INTERNATIONAL_AllSTREAM_ON
subnet 104.36.8.0 255.255.248.0
description Allstream, Ontario, CA
object network INTERNATIONAL_104.128.128.
subnet 104.128.128.0 255.255.240.0
description Central Asia
object network INTERNATIONAL_WIZARD-TOWER
subnet 104.128.144.0 255.255.240.0
description Wizard Tower Techno Services, Vancouver CA
object network INTERNATIONAL_VANCOUVER_IS
subnet 104.128.240.0 255.255.240.0
description Vancouver Island University
object network INTERNATIONAL_EASTLINK.CA
subnet 10.42.240.0 255.255.240.0
description EASTLINK.CA
object network 203.0.0.0
subnet 203.0.0.0 255.0.0.0
description APNIC networks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wrote a batch file using unxutils to pull the aggregated zone file from ipdeny.com and then modify it to be a workable network object
Anything glaringly obvious that I might be making a mistake on?
@echo off
setlocal EnableDelayedExpansion
wget http://www.ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone
set InFile=us-aggregated.zone
set OutFile=us-aggregated-formatted.zone
set map[30]=255.255.255.252
set map[29]=255.255.255.248
set map[28]=255.255.255.240
set map[27]=255.255.255.224
set map[26]=255.255.255.192
set map[25]=255.255.255.128
set map[24]=255.255.255.0
set map[23]=255.255.254.0
set map[22]=255.255.252.0
set map[21]=255.255.248.0
set map[20]=255.255.240.0
set map[19]=255.255.224.0
set map[18]=255.255.192.0
set map[17]=255.255.128.0
set map[16]=255.255.0.0
set map[15]=255.254.0.0
set map[14]=255.252.0.0
set map[13]=255.248.0.0
set map[12]=255.240.0.0
set map[11]=255.224.0.0
set map[10]=255.192.0.0
set map[9]=255.128.0.0
set map[8]=255.0.0.0
(
for /f "usebackq tokens=1-2 delims=/" %%A in (%InFile%) do (
if "%%B" == "" (
echo network-object host %%A
) else (
echo network-object %%A !map[%%B]!
)
)
)>"%OutFile%"
set filename=
set InFile=
set OutFile=
Anything glaringly obvious that I might be making a mistake on?
I don't really have the skills to check out the script. From the web site, you would still have 15,400 IP prefixes for just the US. My block list is significantly shorter, if not 100% accurate.
http://www.ipdeny.com/blog/ipv4-ip-address-blocks-aggregation/
http://www.ipdeny.com/blog/ipv4-ip-address-blocks-aggregation/
ASKER
No helpful comments were provided. I'm closing this ticket as I was notified that it was abandoned.
ASKER
No helpful comments were provided. I'm closing this ticket as I was notified that it was abandoned.