Re: Restricting Inbound Access on ASA5540

l.blair · ‎06-18-2009

I have a customer that wants to restrict inbound access from the internet to their webservers to only North American traffic. They have indicated that they have a list of 40,000 IPs that they want to explicitly allow. They would like this restricted access to be provided by the ASA. The IPs are not contiguous. I can't see how this could possibly be done via access-lists that would not kill the box. Any suggestions?

Thanks in advance.

Patrick0711 · ‎06-18-2009

Blocking by country is the one of the most inefficient ways to restrict access to your configuration. The device will still have to compare all new incoming connections to this access-list which will likely affect the performance of the device.

40,000 IPs/network ranges seems excessive for US IPs...perhaps you could allow only ARIN IP ranges?

https://www.arin.net/knowledge/ip_blocks.html

plumbis · ‎06-25-2009

It depends on the ASA platform. Every ACE will require memory space. There is also the lookup time required for the ACL checks that again, will depend on the platform for their speed.

svaish · ‎06-25-2009

Deny based on ip address does not seems to be a good solution as it will eat all the resources on the ASA, you should find some other way of blocking the traffic.

My sugestion would be use an external authentication server and restrict the noumber of connections to the weebserver on asa to 40,000 and provide a username and password to the users.

kcaskey · ‎06-26-2009

Explain to your customer how simple it is to spoof a source IP address and weigh that against the complexity and performance effects of a monstrous ACL.