Cisco ASA 5525 geoblocking

dotwell11 · ‎01-17-2020

Hello,

I was curious to see if anybody has any recommendations/best practices for geoblocking IPs on a Cisco ASA 5525. We'd like to block all foreign IPs, but not sure if this is a completely manual process or not. And if it is manual, does anybody have any suggestions on how they've done this in the past? Thank you in advance for any help.

Tom

Marius Gunnerud · ‎01-17-2020

ASA can not do this dynamically. You would need a NGFW such as Firepower to do this.

Or you could lookup your country's assigned country IP addresses space and add a permit statement for that subnet and then deny all other traffic. Then, if needed, you could add permit statements for select country IP address spaces if needed.

Personally, I have never done this type of thing manually. We purchased a NGFW that will do this for use if needed.

--
Please remember to select a correct answer and rate helpful posts

Stephen Gutierrez · ‎04-12-2022

Not having a NGFW, I do like Marius's replay above.

It would be easier to allow your origin country IP ranges and deny all others instead of trying to deny IP ranges from 247 countries.

However, I have recently hseard of two separate instances where using broad stroke Geo-Blocking has lead to unexpected outcomes.

In two separate case, an organizations blocked some of their cloud based services because they did not know that their hosting organization used pathways and services in countries other than what they had specifically allowed.

Also, mass Geo-Blocking may open the potential for performance lag on your ASA.