topic Hi Rob, in Network Security

Cisco ASA 5505 - Filtering Non-US IPs?

robertramsey — Tue, 12 Mar 2019 06:57:05 GMT

I would like to filter all inbound Non-US IPv4 addresses at my Cisco ASA 5505’s outside interface.

Hi Rob,

Shivapramod M — Thu, 26 Nov 2015 05:40:39 GMT

Hi Rob,

What is the size of the RAM in your ASA? is it 1GB?

The ASA devices does not have limit as such to number of the ASA but each Access list element takes small byte from the RAM. So if you have very large amount of the access list element then you may face performance issue such as high memory. So for ASA5505 recommended access lsit elements are 25k.

Since you have to block around 10k it should not be any problem.

show access-list | inc element will show the number of access list elements.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hello Shivapramod,

robertramsey — Fri, 27 Nov 2015 15:05:37 GMT

Hello Shivapramod,

Based on your response, you're suggesting that there is no better/easy method to permit only US traffic (or deny all non-US traffic)? Is there a way to automate adding and updating a ~8,286 line ACL to my ASA?

I found several websites that provided example methodology and syntax for downloading and converting the raw Arin list into a format I can use to build my own ACL. I can automate that part of the process with a Linux cron job. However, I haven't found any methods to automatically update my ASA.

Do you have any suggestions on how to automate updating my ASA ACL config?

To answer your question, my ASA has 512MB RAM. I could upgrade it to 1GB if needed (memory is cheap). Reguardless, I still have the problem of entering a 8,286 line ACL into my ASA's configuration.

Thanks in advance,

Rob