cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2125
Views
0
Helpful
12
Replies

Cisco ASA 5515-X blocks ip address even the ip address is within the same country i accpeted

mesarojkhadka84
Level 1
Level 1

Hello, 

 

Cisco ASA 5515-X blocks ip address even the ip address is within the same country i accpeted. As some of the community discussion i have seen  & check the ip prefix in http://www.find-ip-address.org/ip-country/  . but initiator blocked ip is not in the country list. How can i get the database updated? Whom i should contact? Can anyone help me regarding this issue?

 

Thank you.

12 Replies 12

Well, each country is assigned blocks of IP subnets so if the IP that you are given is not part of the IP block assigned to your country I would start by finding out which country it is actually assigned to.  If the IP is part of your country and not recognized in your filter, you may need to update your GeoLocation database.

Is this a dynamic IP or a static IP that you have been assigned?  If it is a dynamic IP, and you find it is not part of your country's IP block, I would suggest contacting your ISP and inquire why that IP is not part of the country IP block.

 

--
Please remember to select a correct answer and rate helpful posts

The IP is assigned for country "NP" by APNIC. All the online databases shows as Country "NP" no doubt but http://www.find-ip-address.org/ip-country/  does not show my ip range while searching for country "NP".  The geo_location is updated. /23 ip is being blocked including Dynamic & Static. So, I wanna know which database does Cisco use to verify the country. If not updated on database used by Cisco, i can ask them to update the databases. 

Thank You, 

Marvin Rhoads
Hall of Fame
Hall of Fame

Are you sure it is being blocked due to Geoblocking and not some other policy element?

Can you share a screenshot of your policy and a connection event showing the block?

Yes this is the screenshot.

I don't see the associated policy or indication of block event in that screenshot.

The Hosting company are using this firewall and they had send me the same screenshot, the service being hosted in their company is not accessible through my ip address. They told me they are using firewall policy  that the ip within the country Nepal is accepted and remaining will be blocked. Except my /23 ip all the ip from Nepal can access their service. 
Again i asked them for a screenshot and they send me the same screenshot. Should i ask them for the screenshot of policy they are using or the reason of blocking the ip ?

If you send me a PM of your public IP address I will check it in my Firepower to see if it also reports the wrong country.

This is the policy they are using. 

I suspect that your IPs are being blocked by the Asia geolocation they have in their deny rule.  Could you get your ISP to confirm this via screenshot of their logs?  You can also ask them to add your /23 subnet with the permit rule for Nepal.  That way you will be up and running and can have some breathing room while figuring out why your subnet is not included in the Nepal geolocation rule.

--
Please remember to select a correct answer and rate helpful posts

@mesarojkhadka84 shared his IP address privately. Both a current FMC Geolocation lookup and whois.apnic.net report his address as being in Nepal.

Yes the ip details are correct, Now what should i do further? Should i contact the hosting company who is using the firewall or what is the solution now?

If you do not have direct access to the firewall to provide us with further information, you need to contact the firewall hosting company and ask them to troubleshoot this issue.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: