How best to block countries IP addresses via ASDM/ASA (5555)

Ciscoguy85 · ‎02-08-2021

Hi All, I am looking for some advice on how to block some country's IP addresses on our ASA 5555 firewall.

On firepower its quite easy we get the option of Geolocation but on the ASA I cant see a convenient way of doing this. Has anyone had any experience in doing this, or advise me on how best to do this?

Thanks in advance for all the help.

balaji.bandi · ‎02-08-2021

On ASA you need to do still manual entries as per i know.

here is script help you :

https://github.com/in-transit/regional-asa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ciscoguy85 · ‎02-08-2021

Thank you Balaji.bandi.

im not quite sure how to interpret the script details you sent.

balaji.bandi · ‎02-08-2021

its script it you run them you get geo based List of the IP address, you need to group those IP address Manually in to ASA and block it with ACL.

or you can use below API enable and make it work for you easy way

https://www.cisco.com/c/en/us/td/docs/security/asa/api/qsg-asa-api.html

good blog may help you :

https://medium.com/@daniela.mh20/rest-api-for-cisco-asa-3374a22d2e24

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎02-08-2021

The script is intended to be run on a Unix host. Copy country.list and regional-asa.sh to a folder on your host. Make the .sh file executable (chmod +x regional-asa.sh). Then run it. Based on your inputs, it will generate a file with a listing of network objects and an object-group that you could then use in an ASA ACL.

To be honest, most people don't go to the trouble since the listings end up being huge and may even exceed the capability of an ASA if you were to, for example, try to exclude all of a region like Asia.

Example of running the script:

root@eve-ng:~/asa# ls -al
total 3256
drwxr-xr-x 2 root root    4096 Feb  8 18:03 .
drwx------ 5 root root    4096 Feb  8 17:58 ..
-rw-r--r-- 1 root root    4248 Feb  8 18:03 country.list
-rwxrwxrwx 1 root root    8768 Feb  8 17:59 regional-asa.sh
root@eve-ng:~/asa# ./regional-asa.sh
Please choose the authority you would like to acquire addresses from.
1. ARIN
2. LACNIC
3. APNIC
4. AfriNIC
5. RIPE
 
[1-5]? 3
--2021-02-08 18:03:41--  ftp://ftp.apnic.net/pub/stats/apnic/delegated-apnic-latest
           => 'APNIC.orig'
Resolving ftp.apnic.net (ftp.apnic.net)... 202.12.29.205, 2001:dc0:2001:11::205
Connecting to ftp.apnic.net (ftp.apnic.net)|202.12.29.205|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /pub/stats/apnic ... done.
==> SIZE delegated-apnic-latest ... 3303673
==> PASV ... done.    ==> RETR delegated-apnic-latest ... done.
Length: 3303673 (3.2M) (unauthoritative)

delegated-apnic-latest            100%[============================================================>]   3.15M  1.00MB/s    in 3.2s    

2021-02-08 18:03:45 (1.00 MB/s) - 'APNIC.orig' saved [3303673]


Would you like to specify a country?
[y/n]? y

Please enter the name or part of the country's english name. Mal
0  :  FK - Falkland Islands (Malvinas)
1  :  GT - Guatemala
2  :  ML - Mali
3  :  MT - Malta
4  :  MV - Maldives
5  :  MW - Malawi
6  :  MY - Malaysia
7  :  SO - Somalia
8  :  None of the above
Please select the nubmer associated with the country you desire.
[0-8]? 6
You have selected:  MY - Malaysia
MY
Creation of APNIC.cidr has started.
Creation of APNIC.cidr has finshed.
Creation of APNIC.conf has started.
 54 / 154 
Creation of APNIC.cidr has finished.
root@eve-ng:~/asa# ls -al
total 3276
drwxr-xr-x 2 root root    4096 Feb  8 18:03 .
drwx------ 5 root root    4096 Feb  8 17:58 ..
-rw-r--r-- 1 root root    2464 Feb  8 18:03 APNIC.cidr
-rw-r--r-- 1 root root   13675 Feb  8 18:03 APNIC.conf
-rw-r--r-- 1 root root 3303673 Feb  8 18:03 APNIC.orig
-rw-r--r-- 1 root root    4248 Feb  8 18:03 country.list
-rwxrwxrwx 1 root root    8768 Feb  8 17:59 regional-asa.sh
root@eve-ng:~/asa# 
root@eve-ng:~/asa# more APNIC.conf
object network APNIC1
subnet 43.228.244.0 255.255.252.0
object network APNIC2
subnet 43.228.248.0 255.255.252.0
object network APNIC3
subnet 43.251.18.0 255.255.254.0
...
(omitted objects 4-153)
...
object network APNIC154
subnet 218.100.75.0 255.255.255.0
object-group network APNIC
network-object object APNIC1
network-object object APNIC2
network-object object APNIC3
network-object object APNIC4
...
(omitted the remaining objects in the object-group)
...
root@eve-ng:~/asa#

Mohammed al Baqari · ‎02-08-2021

Thx @Marvin Rhoads for posting this. I was typing and didn't see your input
coming in. So we are on the same page

TJ-20933766 · ‎02-08-2021

There isn't one. In Firepower you are getting the geolocation database updates periodically to account for all the IP addresses moving around the globe. In ASA there is no such feed. You have to go to a NGFW such as Firepower to get that feature.

Ciscoguy85 · ‎02-08-2021

Thanks for your response Tyson Joachims. I had a feeling that would be the case.

I have found a website, https://www.countryipblocks.net/acl.php that allows you to select the countries you require and generate ACL's for each subnet range or create network objects for each subnet range. My only reluctance to this is how reliable and up to date the ranges are.

I am doing it based on 3 countries so this will be going into the thousands which ever option I choose.

TJ-20933766 · ‎02-08-2021

It is possible to manually lookup the current geolocation for IP addresses but the process exponentially takes up more time the more countries you are trying to nail down and the number of firewalls you are maintaining. Every day you'd have to recheck all those IP addresses because an IP may have moved to an adjacent country and should no longer be blocked. It's more pain than it's worth for many people

Mohammed al Baqari · ‎02-08-2021

Hi,

See this for example. The idea is not to query per packet but rather
dowbload csv database daily, modify its format, then update ASA object
group. From ASA it looks as new config applied using reset, e.g.
blocked_loc_object. The script should decide which locations should be
updated im object group based on admin preference. I don't have anything
with me now but I remember testing it when reset was introduced in ASA
couple of years back.

With reset and python on a Linux box you can make ASA do advanced stuff but
FTD made it out of the box

***** please remember to rate useful posts

https://www.lir.services/blog/ip-geolocation/

netmail · ‎02-07-2023

Hi Mohammed!

what do you mean by "With reset and python on a Linux box"
i have the same task. block some contries

Mohammed al Baqari · ‎02-08-2021

Hi,

Just small addon from my end. You can enable rest api on asa then use an
intermediate server with a script (there are many available online) to
query open source geo feed and update an object group in asa. This can be
scheduled once a day. Not a complex task and there are python scripts
available online for geo feeds.

***** please remember to rate useful posts

TJ-20933766 · ‎02-08-2021

Do you have any instructions for this? Website guides or anything? I'm interested to see more on this topic

Ciscoguy85 · ‎02-08-2021

Thanks Mohammed al Baqari, that sounds like a good solution. Can you direct me to any websites or guides on this? Seems like there is a few us that could benefit from this.

balaji.bandi · ‎02-08-2021

Look up the past my suggested post has information.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help