Yes, This is what I have been

William Reed · ‎01-06-2016

Hello,

I have been looking at the CIPB website and want to figure out the best way to block Russia, India, China, Iran, basically all non North American IPs.

Has anyone done this on a ASA? If so how did you accomplish it? I also have a 3750G I could use.

https://www.countryipblocks.net/country_selection.php

Philip D'Ath · ‎01-06-2016

Sounds like a terrible idea to me. You might as well just create a private WAN.

William Reed · ‎01-07-2016

Seems like a great idea to me and something others are doing. There is no need for the Russian Federation to be able to talk to my networks. Not sure where the disconnect is?

TRENT WAITE · ‎01-07-2016

I agree completely. Just like a kitchen appliance store in Djibouti, Djibouti does not really have to offer IP access to/from Boise, Idaho. Or own internet service is for specific U.S. customers only, is not even public, therefore we have no need for anyone outside U.S. to ever access any of our IPs, period.

It would be nice in the future if there was a more efficient means of blocking countries/regions. Just dealing with reality, and 99% of attacks for us are coming from China alone, and as we offer not single service for anyone in China, there is absolutely no need for anyone in China to try to connect, therefore we have no reason to allow this, and every reason to deny their IPs.

zdesignstudio · ‎01-07-2016

Instead of denying based on the list, do an allow on a list containing only US/Canadian IPs.

Please rate useful posts and mark answers as correct if applicable.

William Reed · ‎01-07-2016

Yes this is what I want to do. Is there anyway to take the raw data from the CIPB and convert it into a big ASA Object?

mforchette · ‎03-06-2020

Disagree. If the business unit has no need to connect to foreign IPs, why allow it?

Managed Service Center · ‎01-07-2016

Hello,

We don't block ALL IPs right off the bat but we do block any IPs we feel need to be blocked at the time. When our IPS alerts on activity we will decide if we need to add the IP to the blocked list.

We do this by creating a Network Object Group w/ the IPs or ranges in it and create an access rule on the OUTSIDE interface coming in to drop the traffic referencing the group.

We are a global organization so automatically blocking IPs from different counties with no reason is out of the question.

Please rate useful posts and mark answers as correct if applicable.

William Reed · ‎01-07-2016

Yes, This is what I have been doing. It seems like I get alot of attacks from India and Russia. I would like to just block those countries completely as they have no need to talk to me. I am not a Global organization.

zdesignstudio · ‎01-07-2016

Then you will just need to proactively add the ranges.

Please rate useful posts and mark answers as correct if applicable.

mdunfee · ‎07-30-2018

This is what I am doing, but France is really becoming a pain in the butt. I spend most of my time blocking IP's from there trying to access my phone switch. And as IPv6 becomes more active this will be an even bigger headache

Marvin Rhoads · ‎01-07-2016

The new model ASA (5500-X series) with FirePOWER Services allows this using the IPS feature as it integrates with a geolocation database that is periodically updated.

Here's an example from the configuration guide: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Access_Control_Rules__Network_Based.html#ID-2195-00000127

Otherwise you have to use the manual (and imprecise) route of crafting huge network object groups that are called out in your access-lists. That's the method referenced by the earlier reply. Note it can have a negative impact on performance for the smaller boxes.

sbavington · ‎08-30-2019

Get a purpose built device and save some money and get great performance. Tipping Point

Best way to block non-US countries on Cisco ASA 5520