topic To Block traffic base on country at Cisco ASA 5515-X in Network Security

To Block traffic base on country at Cisco ASA 5515-X

journey jane — Tue, 13 Dec 2022 04:04:12 GMT

Dear all,

I would like to ask some help that i want to do deny policy at cisco ASA 5515-X base on country. i think it is layer 4 firewall, it is not possible, but i would like to make sure. Anyone can help for it? Thanks much.

Re: To Block traffic base on country at Cisco ASA 5515-X

Kasun Bandara — Tue, 13 Dec 2022 05:11:44 GMT

you can do this by configuring firepower with ASA. do you have firepower module installed in ASA?

Re: To Block traffic base on country at Cisco ASA 5515-X

journey jane — Tue, 13 Dec 2022 05:29:14 GMT

Hello @Kasun Bandara

i have no firepower module installed. it is just layer 4 firewall and managed by asdm. Thanks.

Re: To Block traffic base on country at Cisco ASA 5515-X

Kasun Bandara — Tue, 13 Dec 2022 06:05:42 GMT

in that case, its really hard because you need to find network blocks assigned for each country and create rules. recommended way is to use Firepower. or have firewall with country list blocking/allow features

Re: To Block traffic base on country at Cisco ASA 5515-X

lcaruso — Tue, 13 Dec 2022 07:09:13 GMT

See this site. If you are handy with Python or large text editing operations, you can massage the generated ACLs for direct input into the ASA. I have a script I can dig up possibly let me know if you need it.

https://www.countryipblocks.net/acl.php

You can build your own ACLs and import them into the ASA config

Depending on which ASA you have, performance can be an issue. Before Firepower, I implemented these for a few large countries and my ACL had 10,000 ACEs which was on a 5525. Just be aware you will want console access in case you overwhelm your ASA. Do not save the config until you test and determine performance.

Re: To Block traffic base on country at Cisco ASA 5515-X

journey jane — Tue, 13 Dec 2022 08:56:28 GMT

Hello @Kasun Bandara

Can i use whitelist for those ip addresses at asa 5515-x? May it work? coz i have never been before. thank you.

Re: To Block traffic base on country at Cisco ASA 5515-X

Kasun Bandara — Tue, 13 Dec 2022 09:19:39 GMT

you can create address groups for each country in ASDM which have IP address ranges for respective country. and use them in access lists to allow or deny traffic. but this is very difficult because 1st you need to find and list down IP address ranges related to countries (IPv4/IPv6) and create long lists of ranges in groups. also these mappings may change dynamically in future. so manually doing it is not recommended and not easy. if you know exact IPs to block or allow, you can configure them with access lists.

Re: To Block traffic base on country at Cisco ASA 5515-X

Marvin Rhoads — Tue, 13 Dec 2022 14:06:23 GMT

You can do this in theory as noted by the other responders in this thread. In practice, however, it is a losing proposition.

It is much less work and much more effective to just get a proper modern firewall running FTD where this feature is built-in and requires on a few clicks to turn on.

Re: To Block traffic base on country at Cisco ASA 5515-X

journey jane — Tue, 13 Dec 2022 14:54:45 GMT

Hello @Kasun Bandara

Thanks for your help. let me try with this way.

Re: To Block traffic base on country at Cisco ASA 5515-X

journey jane — Tue, 13 Dec 2022 14:57:38 GMT

Your suggestion is valid. Thanks much. @Marvin Rhoads .