https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301680#M859292 <HTML><HEAD></HEAD><BODY><P>Explain to your customer how simple it is to spoof a source IP address and weigh that against the complexity and performance effects of a monstrous ACL.</P></BODY></HTML> Fri, 26 Jun 2009 14:56:28 GMT kcaskey 2009-06-26T14:56:28Z https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301676#M859263 <P>I have a customer that wants to restrict inbound access from the internet to their webservers to only North American traffic. They have indicated that they have a list of 40,000 IPs that they want to explicitly allow. They would like this restricted access to be provided by the ASA. The IPs are not contiguous. I can't see how this could possibly be done via access-lists that would not kill the box. Any suggestions?</P><P></P><P>Thanks in advance. </P> Mon, 11 Mar 2019 15:45:32 GMT https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301676#M859263 l.blair 2019-03-11T15:45:32Z https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301677#M859270 <HTML><HEAD></HEAD><BODY><P>Blocking by country is the one of the most inefficient ways to restrict access to your configuration. The device will still have to compare all new incoming connections to this access-list which will likely affect the performance of the device.</P><P></P><P>40,000 IPs/network ranges seems excessive for US IPs...perhaps you could allow only ARIN IP ranges?</P><P></P><P><A class="jive-link-custom" href="https://www.arin.net/knowledge/ip_blocks.html" target="_blank">https://www.arin.net/knowledge/ip_blocks.html</A></P></BODY></HTML> Thu, 18 Jun 2009 23:12:27 GMT https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301677#M859270 Patrick0711 2009-06-18T23:12:27Z https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301678#M859279 <HTML><HEAD></HEAD><BODY><P>It depends on the ASA platform. Every ACE will require memory space. There is also the lookup time required for the ACL checks that again, will depend on the platform for their speed.</P></BODY></HTML> Fri, 26 Jun 2009 02:38:54 GMT https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301678#M859279 plumbis 2009-06-26T02:38:54Z https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301679#M859288 <HTML><HEAD></HEAD><BODY><P>Deny based on ip address does not seems to be a good solution as it will eat all the resources on the ASA, you should find some other way of blocking the traffic.</P><P>My sugestion would be use an external authentication server and restrict the noumber of connections to the weebserver on asa to 40,000 and provide a username and password to the users.</P></BODY></HTML> Fri, 26 Jun 2009 04:57:32 GMT https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301679#M859288 svaish 2009-06-26T04:57:32Z https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301680#M859292 <HTML><HEAD></HEAD><BODY><P>Explain to your customer how simple it is to spoof a source IP address and weigh that against the complexity and performance effects of a monstrous ACL.</P></BODY></HTML> Fri, 26 Jun 2009 14:56:28 GMT https://community.cisco.com/t5/network-security/restricting-inbound-access-on-asa5540/m-p/1301680#M859292 kcaskey 2009-06-26T14:56:28Z