Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2389
Views
10
Helpful
4
Replies

Want to load IP address ranges into ACL entries or objects.

dallen00111111
Level 1
Level 1

‎10-03-2016 11:23 AM - edited ‎03-12-2019 01:21 AM

I want to know is there an easy way to import or read into an ASA a list of IP addresses?  I can build a list of IP addresses and/or ranges, but since the list would be rather lengthy and to avoid typos, I do not want to have to type it all in by hand. Any and all reasonable suggestions are welcome

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎10-03-2016 01:58 PM

In what form do you have these entries now? If it's in text-format, it shouldn't be that difficult to build a script (or excel-sheet) that takes the addresses and puts them into an object-group.

dallen00111111
Level 1
Level 1
In response to Karsten Iwen

‎10-03-2016 02:23 PM

I have about half of them in a text file.  I've been pulling them from various sources that match up with the official lists from ARIN so far. 

The ideal way for us to do it would be to take the list of US IP numbers from ARIN, strip out the lines we don't want, then feed that file through a filter to have them totally in a file that is in csv format.  Then that file could either be put through another filter program to build the statements for the object groups to be fed to the ASA or the csv format file could be used in Excel and then put them into an object group.

To make for even more fun, the current ASA is still running 8.2(5), due to memory constraints.  When we get the new ASA, it will be completely up to date, and the object group lines will probably change format at least a little (I think they did from 8.2 to 8.3).

0 Helpful

Karsten Iwen
VIP
VIP
In response to dallen00111111

‎10-03-2016 02:37 PM

You wan't to use this list for permit/deny decisions on your ASA to filter inbound on sources or outbound on destination? Then the object-group will be the same also after the 8-3+ upgrade.

Building the list through a script and pasting it in shouldn't be that hard.

If you don't want to maintain that list on the ASA and have a router in-line, then you could also use Remotely triggered blackhole filtering (RTBH).

And for building the list, services like MaxMind could be of help.

dallen00111111
Level 1
Level 1
In response to Karsten Iwen

‎10-03-2016 02:49 PM

What I want to do is to use the list to deny access to the network from locations outside of the U.S.  After all, they shouldn't have any legitimate interest in our site.  If it causes problems, we could allow certain machines that have been shown to need access to have access.  We would probably not use it to filter the outbound traffic. Most of the traffic going out that would go overseas is probably going to be going to places connected with Akamai or Google.

I look at it as a moat around the castle which is our network.  It's not going to be complete protection, but it will help keep some of the people who probably are just looking for vulnerabilities out.

I don't know that any of these statements would change when the file is modified to run on 8.3+, I'm just trying to be prepared to change the format  or wording of the statements.

I also hadn't thought about MaxMind to help build the list.  I would rather have the list on the ASA if possible, to make it a little simpler.  That way the normal firewall functions are on the firewall.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card