07-13-2020 12:43 AM - edited 07-13-2020 12:44 AM
Hello,
Cisco ASA 5515-X blocks ip address even the ip address is within the same country i accpeted. As some of the community discussion i have seen & check the ip prefix in http://www.find-ip-address.org/ip-country/ . but initiator blocked ip is not in the country list. How can i get the database updated? Whom i should contact? Can anyone help me regarding this issue?
Thank you.
07-13-2020 02:20 PM
Well, each country is assigned blocks of IP subnets so if the IP that you are given is not part of the IP block assigned to your country I would start by finding out which country it is actually assigned to. If the IP is part of your country and not recognized in your filter, you may need to update your GeoLocation database.
Is this a dynamic IP or a static IP that you have been assigned? If it is a dynamic IP, and you find it is not part of your country's IP block, I would suggest contacting your ISP and inquire why that IP is not part of the country IP block.
07-13-2020 08:10 PM
The IP is assigned for country "NP" by APNIC. All the online databases shows as Country "NP" no doubt but http://www.find-ip-address.org/ip-country/ does not show my ip range while searching for country "NP". The geo_location is updated. /23 ip is being blocked including Dynamic & Static. So, I wanna know which database does Cisco use to verify the country. If not updated on database used by Cisco, i can ask them to update the databases.
Thank You,
07-13-2020 09:22 PM
Are you sure it is being blocked due to Geoblocking and not some other policy element?
Can you share a screenshot of your policy and a connection event showing the block?
07-13-2020 09:57 PM
07-13-2020 10:44 PM
I don't see the associated policy or indication of block event in that screenshot.
07-13-2020 11:04 PM
The Hosting company are using this firewall and they had send me the same screenshot, the service being hosted in their company is not accessible through my ip address. They told me they are using firewall policy that the ip within the country Nepal is accepted and remaining will be blocked. Except my /23 ip all the ip from Nepal can access their service.
Again i asked them for a screenshot and they send me the same screenshot. Should i ask them for the screenshot of policy they are using or the reason of blocking the ip ?
07-14-2020 03:23 AM
If you send me a PM of your public IP address I will check it in my Firepower to see if it also reports the wrong country.
07-13-2020 11:39 PM
07-14-2020 12:10 PM
I suspect that your IPs are being blocked by the Asia geolocation they have in their deny rule. Could you get your ISP to confirm this via screenshot of their logs? You can also ask them to add your /23 subnet with the permit rule for Nepal. That way you will be up and running and can have some breathing room while figuring out why your subnet is not included in the Nepal geolocation rule.
07-14-2020 11:25 PM
@mesarojkhadka84 shared his IP address privately. Both a current FMC Geolocation lookup and whois.apnic.net report his address as being in Nepal.
07-14-2020 11:39 PM
Yes the ip details are correct, Now what should i do further? Should i contact the hosting company who is using the firewall or what is the solution now?
07-16-2020 03:32 AM
If you do not have direct access to the firewall to provide us with further information, you need to contact the firewall hosting company and ask them to troubleshoot this issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide