cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4061
Views
5
Helpful
10
Replies

Creating a country ACL

alceryes3
Level 1
Level 1

ASA 5505 Sec Plus 9.0 OS

I want to create a country ACL that allows only US IP's through my firewall for certain ports. The problem is that the most up-to-date US IP list I can find contains 46000 lines! Even though some of these entries can be combined into larger blocks many of them can't because of just a few IP's (relatively) belonging to other countries. Even if I just use the /8 and /16 subnets that's still about 5800 network-object entries for the object-group.

Can I even have an object-group with 5800 entries? Would that slow down my ASA? Is there an easier way to do this?

TIA!

1 Accepted Solution

Accepted Solutions

The short answer is yes, but will you notice, maybe but I don't think it will hinder it too much.  To go through all the lines and find the match will require some CPU headroom.  I would add half of them and check the CPU.  Then add the rest and see what happens.  My guess, you should be fine.

View solution in original post

10 Replies 10

Rick Morris
Level 6
Level 6

Blocking traffic with an ACL on the ASA could become very labor intensive.  One thing I have seen is third party products that can accomplish the same thing.  Here is one after a quick search that I was able to find.

https://www.countryipblocks.net/

Thx.

Yeah, that's actually where I got the 46000 line network-object list from. I don't want to add any more costs to my setup since it's just my home/dev environment. Do you think it would slow down my ASA if I had a 5800 object object-group in my ACL's?

The short answer is yes, but will you notice, maybe but I don't think it will hinder it too much.  To go through all the lines and find the match will require some CPU headroom.  I would add half of them and check the CPU.  Then add the rest and see what happens.  My guess, you should be fine.

Thx Rick,

I was actually 10 minutes into my ASA accepting the 46000 network-objects from a copy-paste when I thought it may be a bit too much  .

I went ahead and entered the 5800 line /8 and /16 objects and will monitor performance.

As a side question. How do I skip a certain section when doing a show run, show access-list, or show object-group? Ideally, I want to skip that object group just created.

Edit - Using about 30MB more memory from the start. No difference in CPU.

I think this will work perfectly as my ASA isn't really doing much most of the time (except for when my FTP site gets intermittently slammed by reverse brute-force attacks from several different countries). I know it's the norm in this day and age but it still bothered me...problem solved  .

Depending on how you have the ACL set up you may have to use a filter.

For instance, when you do a show run and it stops at the first page type a / , yes a forward slash and then the statement.

ASA#sh run

/object xyz  <---this is not a very easy command to use since it just filters and stops at the first instance.

Another option is to do a show access-list | b line 1001  This will drop the show access-list to the specific line to start at and show the rest of the lines afterward as if you were going line by line.

I am not aware of any other way.

Found a good page about filtering show running-config.

http://www.techrepublic.com/article/effectively-filter-cisco-router-command-output/5842782

Using 'show running-config | exclude network-object', filters out the 6k line US-IP object-group perfectly.

I know this is an old post, so I apologize for resurrecting it!

Using 'show running-config | exclude network-object', filters out the 6k line US-IP object-group perfectly.

I know the exclude command worked on ASA's, but on IOS I'm finding that "show run | exclude object-group" only removes the name of the object from the config and not the IP's in the object.  Does anyone know how to hide the object-group from the config, because it is several thousand lines long!

usasigcis
Level 1
Level 1

is this a http policy?

i wonder if you can use regex to create a class-map > policy-map > service-policy to block the geo-location tags ???

that would be so much cleaner approach and less RAM intensive

It's for an FTP ACL. I am only allowing US IP's through to my FTP site. That definitely sounds more efficient. How would I set it up?

I actually made this site up, because I didn't want to pay countryipblocks.net for aggregation https://geoblocks.dalleyfamily.net/

Review Cisco Networking for a $25 gift card