I want to know is there an easy way to import or read into an ASA a list of IP addresses? I can build a list of IP addresses and/or ranges, but since the list would be rather lengthy and to avoid typos, I do not want to have to type it all in by hand. Any and all reasonable suggestions are welcome
In what form do you have these entries now? If it's in text-format, it shouldn't be that difficult to build a script (or excel-sheet) that takes the addresses and puts them into an object-group.
I have about half of them in a text file. I've been pulling them from various sources that match up with the official lists from ARIN so far.
The ideal way for us to do it would be to take the list of US IP numbers from ARIN, strip out the lines we don't want, then feed that file through a filter to have them totally in a file that is in csv format. Then that file could either be put through another filter program to build the statements for the object groups to be fed to the ASA or the csv format file could be used in Excel and then put them into an object group.
To make for even more fun, the current ASA is still running 8.2(5), due to memory constraints. When we get the new ASA, it will be completely up to date, and the object group lines will probably change format at least a little (I think they did from 8.2 to 8.3).
You wan't to use this list for permit/deny decisions on your ASA to filter inbound on sources or outbound on destination? Then the object-group will be the same also after the 8-3+ upgrade.
Building the list through a script and pasting it in shouldn't be that hard.
If you don't want to maintain that list on the ASA and have a router in-line, then you could also use Remotely triggered blackhole filtering (RTBH).
And for building the list, services like MaxMind could be of help.
What I want to do is to use the list to deny access to the network from locations outside of the U.S. After all, they shouldn't have any legitimate interest in our site. If it causes problems, we could allow certain machines that have been shown to need access to have access. We would probably not use it to filter the outbound traffic. Most of the traffic going out that would go overseas is probably going to be going to places connected with Akamai or Google.
I look at it as a moat around the castle which is our network. It's not going to be complete protection, but it will help keep some of the people who probably are just looking for vulnerabilities out.
I don't know that any of these statements would change when the file is modified to run on 8.3+, I'm just trying to be prepared to change the format or wording of the statements.
I also hadn't thought about MaxMind to help build the list. I would rather have the list on the ASA if possible, to make it a little simpler. That way the normal firewall functions are on the firewall.