Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
2
Replies

Cisco ASA 5505 - Filtering Non-US IPs?

robertramsey
Level 1
Level 1

‎11-25-2015 04:58 PM - edited ‎03-11-2019 11:57 PM

Hello,

I would like to filter all inbound Non-US IPv4 addresses at my Cisco ASA 5505’s outside interface. I found an article (below) that describes a good approach on how to do that. However, the list of US IPv4 allocations is 48,938 lines long and the list of Non-US IPv4 allocations is 8,286 lines long. Is it realistic to add a 48,938 line inbound white list or 8,286 line inbound blacklist to a Cisco ASA 5505? Will the ASA support a 10k+ ACL? Will a 10k+ ACL degrade its performance? There has to be a better way???

Block a country with my Cisco Router or Firewall

http://blogs.cisco.com/security/block-a-country-with-my-cisco-router-or-firewall

After doing a bit of research, I found a suggestion to block or permit using class A IP addressing. Unfortunately, I believe that approach might be a bit too messy as the class A IP space is shared as shown below:

[rramsey@frodo ~]$ grep '|196.' Non-US_IP_Addresses.txt

arin|PR|ipv4|196.1.2.0|256|19951215|assigned|1b5d19b780f7afaf0834444e9f32e7aa arin|BM|ipv4|196.1.107.0|256|19940719|assigned|a3c5d71b3553953898053b8a3f53a154 arin|JM|ipv4|196.1.136.0|256|19940824|assigned|85e44b0dc7c826fc2ed70365ad80485d arin|JM|ipv4|196.1.138.0|512|19941130|assigned|87d3585399b93eda8f8f2258b32fdb78 arin|PR|ipv4|196.1.141.0|256|19950117|assigned|d8a3cb5dee4b473ce4c1baba8dc362de arin|BB|ipv4|196.1.160.0|4096|19961101|allocated|a2808ab99afe76971c2eb926427f0c93 arin|JM|ipv4|196.2.0.0|256|19930211|assigned|77f195edb9244030da810af29b5b4383 arin|JM|ipv4|196.2.1.0|256|19930211|assigned|77f195edb9244030da810af29b5b4383 arin|JM|ipv4|196.3.0.0|2048|19930226|allocated|77f195edb9244030da810af29b5b4383 arin|PR|ipv4|196.3.8.0|1024|19951215|assigned|1b5d19b780f7afaf0834444e9f32e7aa arin|PR|ipv4|196.3.12.0|512|19951215|assigned|1b5d19b780f7afaf0834444e9f32e7aa arin|GD|ipv4|196.3.73.0|256|19940202|assigned|8b9642cd469a9917f2d9083743045ea6 arin|JM|ipv4|196.3.95.0|256|19950427|assigned|dc089a157d9aa819b711f04fe1633cdf arin|JM|ipv4|196.3.104.0|256|19950510|assigned|dd24c2747bcf5ee450bffcd361b9d225 arin|JM|ipv4|196.3.153.0|256|19950831|assigned|448280d8f3c0d7758e7dcd00b901f41d arin|JM|ipv4|196.3.184.0|2048|19950831|assigned|697918884ad2bc78e5da0cde03a42652 arin|BB|ipv4|196.3.192.0|8192|19950719|allocated|1e55e6c4704ce81afdcc741f21072022 arin|PR|ipv4|196.12.0.0|2048|19951215|assigned|1b5d19b780f7afaf0834444e9f32e7aa arin|PR|ipv4|196.12.8.0|512|19951215|assigned|1b5d19b780f7afaf0834444e9f32e7aa arin|BM|ipv4|196.12.64.0|16384|19940711|assigned|2207f4cd56d277a0d5e0dfc042cb68cb arin|PR|ipv4|196.12.160.0|8192|19980827|allocated|07ce2359a2ba4e4f87430d3b430afa44 arin|PR|ipv4|196.28.48.0|4096|19960429|allocated|b3befbc5de9a659f6e029ade770a8642 arin|JM|ipv4|196.32.0.0|2048|19951002|allocated|ba7d0834d23b91504bed685901dc3ac5 arin|PR|ipv4|196.32.128.0|8192|19980721|allocated|c2e099f2bff413172f0abd7d473dd93a arin|PR|ipv4|196.42.0.0|16384|19981229|allocated|d1d344f10884780acd5a590bcbac023f

[rramsey@frodo ~]$ grep '|196.' US_IP_Addresses.txt

arin|US|ipv4|196.1.72.0|512|19930618|assigned|835517d10b3ad10c7eff2da26e26b03b arin|US|ipv4|196.1.140.0|256|19941213|assigned|2a8792c1f2fd3840df879ab613a8d7d3 arin|US|ipv4|196.1.142.0|256|19950331|assigned|2a8792c1f2fd3840df879ab613a8d7d3 arin|US|ipv4|196.3.32.0|4096|19931006|assigned|b372eff5846d97f3a29a2d061db4a353 arin|US|ipv4|196.3.48.0|2048|19931006|assigned|b372eff5846d97f3a29a2d061db4a353 arin|US|ipv4|196.3.56.0|256|19931006|assigned|b372eff5846d97f3a29a2d061db4a353 arin|US|ipv4|196.4.46.0|512|19940128|assigned|3462dcbe47766206bd50b9ec47e4bad8 arin|US|ipv4|196.4.48.0|4096|19940128|assigned|3462dcbe47766206bd50b9ec47e4bad8 arin|US|ipv4|196.4.64.0|1024|19940128|assigned|3462dcbe47766206bd50b9ec47e4bad8 arin|US|ipv4|196.4.68.0|512|19940128|assigned|3462dcbe47766206bd50b9ec47e4bad8 arin|US|ipv4|196.4.70.0|256|19940128|assigned|3462dcbe47766206bd50b9ec47e4bad8 arin|US|ipv4|196.27.0.0|16384|19950906|allocated|3196899e5842501fd89ae31f26d4b4f3 arin|US|ipv4|196.216.1.0|256|19930208|assigned|db1e7667780f1dcc5a0b0faa1e88bfd1

I recently purchased and setup a Cisco ASA 5505 at home. In just four days, I've denied over 5,000 inbound connection attempts from China, Brazil, and others. The deny statements show an attempt to access ports 22, 23, 80, and 443 on my outside interface; what I suspect is an attempt to gain administrative access to my ASA. Of course, this isn't new traffic, I've just never seen the logs before (previously had a Linksys E3000 at the edge).

Later this week, I'm hoping to setup a hobby web server on a Raspberry Pi (RPi) sitting in my DMZ.  I have no idea how well the RPi will stand up to port 80 attacks. I feel like filtering all non-US traffic will go a long way in protecting my RPi web server.

Thanks in advance,

Rob

Labels:
0 Helpful
2 Replies 2

Shivapramod M
Level 1
Level 1

‎11-25-2015 09:40 PM

Hi Rob,

What is the size of the RAM in your ASA? is it 1GB?

The ASA devices does not have limit as such to number of the ASA but each Access list element takes small byte from the RAM. So if you have very large amount of the access list element then you may face performance issue such as high memory. So for ASA5505 recommended access lsit elements are 25k.

Since you have to block around 10k it should not be any problem. 

show access-list | inc element will show the number of access list elements.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

robertramsey
Level 1
Level 1
In response to Shivapramod M

‎11-27-2015 07:05 AM

Hello Shivapramod,

Based on your response, you're suggesting that there is no better/easy method to permit only US traffic (or deny all non-US traffic)?  Is there a way to automate adding and updating a ~8,286 line ACL to my ASA?

I found several websites that provided example methodology and syntax for downloading and converting the raw Arin list into a format I can use to build my own ACL.  I can automate that part of the process with a Linux cron job.  However, I haven't found any methods to automatically update my ASA.

Do you have any suggestions on how to automate updating my ASA ACL config?

To answer your question, my ASA has 512MB RAM.  I could upgrade it to 1GB if needed (memory is cheap).  Reguardless, I still have the problem of entering a 8,286 line ACL into my ASA's configuration.

Thanks in advance,

Rob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card