Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2219
Views
20
Helpful
9
Replies

To Block traffic base on country at Cisco ASA 5515-X

journey jane
Level 1
Level 1

‎12-12-2022 08:04 PM

Dear all,

I would like to ask some help that i want to do deny policy at cisco ASA 5515-X base on country. i think it is layer 4 firewall, it is not possible, but i would like to make sure. Anyone can help for it? Thanks much.

0 Helpful
9 Replies 9

Kasun Bandara
VIP
VIP

‎12-12-2022 09:11 PM

you can do this by configuring firepower with ASA. do you have firepower module installed in ASA?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

journey jane
Level 1
Level 1
In response to Kasun Bandara

‎12-12-2022 09:29 PM

Hello @Kasun Bandara 

i have no firepower module installed. it is just layer 4 firewall and managed by asdm. Thanks.

0 Helpful

lcaruso
Level 6
Level 6
In response to journey jane

‎12-12-2022 11:09 PM

See this site. If you are handy with Python or large text editing operations, you can massage the generated ACLs for direct input into the ASA. I have a script I can dig up possibly let me know if you need it.  

https://www.countryipblocks.net/acl.php

You can build your own ACLs and import them into the ASA config

Depending on which ASA you have, performance can be an issue. Before Firepower, I implemented these for a few large countries and my ACL had 10,000 ACEs which was on a 5525. Just be aware you will want console access in case you overwhelm your ASA. Do not save the config until you test and determine performance. 

0 Helpful

Kasun Bandara
VIP
VIP

‎12-12-2022 09:57 PM - edited ‎12-12-2022 10:05 PM

in that case, its really hard because you need to find network blocks assigned for each country and create rules. recommended way is to use Firepower. or have  firewall with country list blocking/allow features

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

journey jane
Level 1
Level 1
In response to Kasun Bandara

‎12-13-2022 12:56 AM

Hello @Kasun Bandara 

Can i use whitelist for those ip addresses at asa 5515-x? May it work? coz i have never been before. thank you.

0 Helpful

Kasun Bandara
VIP
VIP
In response to journey jane

‎12-13-2022 01:19 AM

you can create address groups for each country in ASDM which have IP address ranges for respective country. and use them in access lists to allow or deny traffic. but this is very difficult because 1st you need to find and list down IP address ranges related to countries (IPv4/IPv6) and create long lists of ranges in groups. also these mappings may change dynamically in future. so manually doing it is not recommended and not easy. if you know exact IPs to block or allow, you can configure them with access lists.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

journey jane
Level 1
Level 1
In response to Kasun Bandara

‎12-13-2022 06:54 AM

Hello @Kasun Bandara 

Thanks for your help. let me try with this way.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-13-2022 06:06 AM

You can do this in theory as noted by the other responders in this thread. In practice, however, it is a losing proposition.

It is much less work and much more effective to just get a proper modern firewall running FTD where this feature is built-in and requires on a few clicks to turn on.

journey jane
Level 1
Level 1
In response to Marvin Rhoads

‎12-13-2022 06:57 AM

Your suggestion is valid. Thanks much.  @Marvin Rhoads . 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card