Cisco ASA 5520 Reverse GeoIP block

Hello,

I've been fairly successful in doing  the regular geoip block process on the ASA. I've been compiling the ranges of IPs from malicious/unstable/non-allied/etc. countries, and blocking their access at the perimeter. Of course, it isn't a fool proof solution knowing that the determined entity will be able to pivot off of trusted but compromised country ranges. But, pairing it with BOGONS, TOR exit points and a few others, we've seen a drop in the intrusion scale.

I did this as the drain on the resources on the ASA was negligible. But, as the list of countries keeps rising, perhaps the better approach would be to allow only trusted countries access to our public facing services.

Does anyone have a working process or solution for allowing only traffic from the States and Canada access through the ASA? Examples would be appreciated.

Thank you.
LVL 21
netcmhAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
How do you do your geo blocking? I have an access list that I have inherited and refined that basically blocks everything not in the United States.
netcmhAuthor Commented:
That's what I'm looking for. Right now, I pick and choose volatile areas, those known for their lax cyber policies, and known malicious-intent countries; and create their network objects and reference that object in my ACL. Needless to say, the object gets huge and is becoming almost unmanageable for me with my approx. 34 countries list. Appending all the other countries to that group is not what I hope to do.

I would really like to see what others are doing different.
netcmhAuthor Commented:
kevinhsieh: you've kinda left me hanging there :)
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

kevinhsiehCommented:
Here's what I have for the stuff that is blocked for ingress traffic. Note that I also do egress blocking, and that this list will block basically all of Canada, as well as other properties such as Facebook and Akamai that have IP addresses originally assigned outside of the United States.

object-group network INTERNET_INTERNATIONAL_NETWORKS
 network-object 0.0.0.0 255.0.0.0
 network-object 1.0.0.0 255.0.0.0
 network-object 2.0.0.0 255.0.0.0
 network-object 27.0.0.0 255.0.0.0
 network-object 31.0.0.0 255.0.0.0
 network-object 36.0.0.0 255.0.0.0
 network-object 37.0.0.0 255.0.0.0
 network-object 39.0.0.0 255.0.0.0
 network-object 42.0.0.0 255.0.0.0
 network-object 5.0.0.0 255.0.0.0
 network-object 57.0.0.0 255.0.0.0
 network-object 58.0.0.0 255.0.0.0
 network-object 59.0.0.0 255.0.0.0
 network-object 60.0.0.0 255.0.0.0
 network-object 61.0.0.0 255.0.0.0
 network-object 62.0.0.0 255.0.0.0
 network-object 77.0.0.0 255.0.0.0
 network-object 78.0.0.0 255.0.0.0
 network-object 79.0.0.0 255.0.0.0
 network-object 80.0.0.0 255.0.0.0
 network-object 81.0.0.0 255.0.0.0
 network-object 82.0.0.0 255.0.0.0
 network-object 83.0.0.0 255.0.0.0
 network-object 84.0.0.0 255.0.0.0
 network-object 85.0.0.0 255.0.0.0
 network-object 86.0.0.0 255.0.0.0
 network-object 87.0.0.0 255.0.0.0
 network-object 88.0.0.0 255.0.0.0
 network-object 89.0.0.0 255.0.0.0
 network-object 90.0.0.0 255.0.0.0
 network-object 91.0.0.0 255.0.0.0
 network-object 92.0.0.0 255.0.0.0
 network-object 93.0.0.0 255.0.0.0
 network-object 94.0.0.0 255.0.0.0
 network-object 95.0.0.0 255.0.0.0
 network-object 101.0.0.0 255.0.0.0
 network-object 102.0.0.0 255.0.0.0
 network-object 103.0.0.0 255.0.0.0
 network-object 105.0.0.0 255.0.0.0
 network-object 106.0.0.0 255.0.0.0
 network-object 109.0.0.0 255.0.0.0
 network-object 110.0.0.0 255.0.0.0
 network-object 111.0.0.0 255.0.0.0
 network-object 112.0.0.0 255.0.0.0
 network-object 113.0.0.0 255.0.0.0
 network-object 114.0.0.0 255.0.0.0
 network-object 115.0.0.0 255.0.0.0
 network-object 116.0.0.0 255.0.0.0
 network-object 117.0.0.0 255.0.0.0
 network-object 118.0.0.0 255.0.0.0
 network-object 119.0.0.0 255.0.0.0
 network-object 120.0.0.0 255.0.0.0
 network-object 121.0.0.0 255.0.0.0
 network-object 122.0.0.0 255.0.0.0
 network-object 123.0.0.0 255.0.0.0
 network-object 124.0.0.0 255.0.0.0
 network-object 125.0.0.0 255.0.0.0
 network-object 126.0.0.0 255.0.0.0
 network-object 175.0.0.0 255.0.0.0
 network-object 176.0.0.0 255.0.0.0
 network-object 177.0.0.0 255.0.0.0
 network-object 178.0.0.0 255.0.0.0
 network-object 179.0.0.0 255.0.0.0
 network-object 180.0.0.0 255.0.0.0
 network-object 181.0.0.0 255.0.0.0
 network-object 182.0.0.0 255.0.0.0
 network-object 183.0.0.0 255.0.0.0
 network-object 185.0.0.0 255.0.0.0
 network-object 186.0.0.0 255.0.0.0
 network-object 187.0.0.0 255.0.0.0
 network-object 189.0.0.0 255.0.0.0
 network-object 190.0.0.0 255.0.0.0
 network-object 193.0.0.0 255.0.0.0
 network-object 194.0.0.0 255.0.0.0
 network-object 195.0.0.0 255.0.0.0
 network-object 197.0.0.0 255.0.0.0
 network-object 200.0.0.0 255.0.0.0
 network-object 201.0.0.0 255.0.0.0
 network-object 202.0.0.0 255.0.0.0
 network-object 210.0.0.0 255.0.0.0
 network-object 211.0.0.0 255.0.0.0
 network-object 212.0.0.0 255.0.0.0
 network-object 213.0.0.0 255.0.0.0
 network-object 217.0.0.0 255.0.0.0
 network-object 218.0.0.0 255.0.0.0
 network-object 219.0.0.0 255.0.0.0
 network-object 220.0.0.0 255.0.0.0
 network-object 221.0.0.0 255.0.0.0
 network-object 222.0.0.0 255.0.0.0
 network-object 223.0.0.0 255.0.0.0
 network-object 224.0.0.0 224.0.0.0
 network-object 171.0.0.0 255.192.0.0
 network-object 171.128.0.0 255.128.0.0
 network-object 171.68.0.0 255.252.0.0
 network-object 171.72.0.0 255.248.0.0
 network-object 171.80.0.0 255.240.0.0
 network-object 171.96.0.0 255.224.0.0
 network-object object INTERNATIONAL_104.128.128.0-20
 network-object object INTERNATIONAL_AllSTREAM_ONTARIO_CA
 network-object object INTERNATIONAL_VANCOUVER_ISLAND_UNIVERSITY
 network-object object INTERNATIONAL_WIZARD-TOWER-TECHNO-SERVICES_VANCOUVER_CA
 network-object object IANA-RESERVED-100.64.0.0
 network-object object INTERNATIONAL_EASTLINK.CA
 network-object object 203.0.0.0

object network INTERNATIONAL_AllSTREAM_ONTARIO_CA
 subnet 104.36.8.0 255.255.248.0
 description Allstream, Ontario, CA
object network INTERNATIONAL_104.128.128.0-20
 subnet 104.128.128.0 255.255.240.0
 description Central Asia
object network INTERNATIONAL_WIZARD-TOWER-TECHNO-SERVICES_VANCOUVER_CA
 subnet 104.128.144.0 255.255.240.0
 description Wizard Tower Techno Services, Vancouver CA
object network INTERNATIONAL_VANCOUVER_ISLAND_UNIVERSITY
 subnet 104.128.240.0 255.255.240.0
 description Vancouver Island University
object network INTERNATIONAL_EASTLINK.CA
 subnet 10.42.240.0 255.255.240.0
 description EASTLINK.CA
object network 203.0.0.0
 subnet 203.0.0.0 255.0.0.0
 description APNIC networks
netcmhAuthor Commented:
Or, I could just create a network object for the IPs of US and Canada and have it become the only source for allowed traffic for the internet facing resources.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
netcmhAuthor Commented:
Wrote a batch file using unxutils to pull the aggregated zone file from ipdeny.com and then modify it to be a workable network object

@echo off
setlocal EnableDelayedExpansion

wget http://www.ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone

set InFile=us-aggregated.zone
set OutFile=us-aggregated-formatted.zone

set map[30]=255.255.255.252
set map[29]=255.255.255.248
set map[28]=255.255.255.240
set map[27]=255.255.255.224
set map[26]=255.255.255.192
set map[25]=255.255.255.128
set map[24]=255.255.255.0
set map[23]=255.255.254.0
set map[22]=255.255.252.0
set map[21]=255.255.248.0
set map[20]=255.255.240.0
set map[19]=255.255.224.0
set map[18]=255.255.192.0
set map[17]=255.255.128.0
set map[16]=255.255.0.0
set map[15]=255.254.0.0
set map[14]=255.252.0.0
set map[13]=255.248.0.0
set map[12]=255.240.0.0
set map[11]=255.224.0.0
set map[10]=255.192.0.0
set map[9]=255.128.0.0
set map[8]=255.0.0.0

(
  for /f "usebackq tokens=1-2 delims=/" %%A in (%InFile%) do (
    if "%%B" == "" (
      echo network-object host %%A
    ) else (
      echo network-object %%A !map[%%B]!
    )
  )
)>"%OutFile%"


set filename=
set InFile=
set OutFile=

Open in new window


Anything glaringly obvious that I might be making a mistake on?
kevinhsiehCommented:
I don't really have the skills to check out the script. From the web site, you would still have 15,400 IP prefixes for just the US. My block list is significantly shorter, if not 100% accurate.

http://www.ipdeny.com/blog/ipv4-ip-address-blocks-aggregation/
netcmhAuthor Commented:
No helpful comments were provided. I'm closing this ticket as I was notified that it was abandoned.
netcmhAuthor Commented:
No helpful comments were provided. I'm closing this ticket as I was notified that it was abandoned.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.