Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4060
Views
5
Helpful
10
Replies

Creating a country ACL

Go to solution
alceryes3
Level 1
Level 1

‎07-04-2013 10:08 AM - edited ‎03-04-2019 08:22 PM

ASA 5505 Sec Plus 9.0 OS

I want to create a country ACL that allows only US IP's through my firewall for certain ports. The problem is that the most up-to-date US IP list I can find contains 46000 lines! Even though some of these entries can be combined into larger blocks many of them can't because of just a few IP's (relatively) belonging to other countries. Even if I just use the /8 and /16 subnets that's still about 5800 network-object entries for the object-group.

Can I even have an object-group with 5800 entries? Would that slow down my ASA? Is there an easier way to do this?

TIA!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rick Morris
Level 6
Level 6
In response to alceryes3

‎07-04-2013 11:09 AM

The short answer is yes, but will you notice, maybe but I don't think it will hinder it too much.  To go through all the lines and find the match will require some CPU headroom.  I would add half of them and check the CPU.  Then add the rest and see what happens.  My guess, you should be fine.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Rick Morris
Level 6
Level 6

‎07-04-2013 10:51 AM

Blocking traffic with an ACL on the ASA could become very labor intensive.  One thing I have seen is third party products that can accomplish the same thing.  Here is one after a quick search that I was able to find.

https://www.countryipblocks.net/

0 Helpful

Go to solution
alceryes3
Level 1
Level 1
In response to Rick Morris

‎07-04-2013 11:02 AM

Thx.

Yeah, that's actually where I got the 46000 line network-object list from. I don't want to add any more costs to my setup since it's just my home/dev environment. Do you think it would slow down my ASA if I had a 5800 object object-group in my ACL's?

0 Helpful

Go to solution
Rick Morris
Level 6
Level 6
In response to alceryes3

‎07-04-2013 11:09 AM

The short answer is yes, but will you notice, maybe but I don't think it will hinder it too much.  To go through all the lines and find the match will require some CPU headroom.  I would add half of them and check the CPU.  Then add the rest and see what happens.  My guess, you should be fine.

0 Helpful

Go to solution
alceryes3
Level 1
Level 1
In response to Rick Morris

‎07-04-2013 11:46 AM

Thx Rick,

I was actually 10 minutes into my ASA accepting the 46000 network-objects from a copy-paste when I thought it may be a bit too much  .

I went ahead and entered the 5800 line /8 and /16 objects and will monitor performance.

As a side question. How do I skip a certain section when doing a show run, show access-list, or show object-group? Ideally, I want to skip that object group just created.

Edit - Using about 30MB more memory from the start. No difference in CPU.

I think this will work perfectly as my ASA isn't really doing much most of the time (except for when my FTP site gets intermittently slammed by reverse brute-force attacks from several different countries). I know it's the norm in this day and age but it still bothered me...problem solved  .

0 Helpful

Go to solution
Rick Morris
Level 6
Level 6
In response to alceryes3

‎07-04-2013 09:14 PM

Depending on how you have the ACL set up you may have to use a filter.

For instance, when you do a show run and it stops at the first page type a / , yes a forward slash and then the statement.

ASA#sh run

/object xyz  <---this is not a very easy command to use since it just filters and stops at the first instance.

Another option is to do a show access-list | b line 1001  This will drop the show access-list to the specific line to start at and show the rest of the lines afterward as if you were going line by line.

I am not aware of any other way.

0 Helpful

Go to solution
alceryes3
Level 1
Level 1
In response to Rick Morris

‎07-07-2013 09:19 AM

Found a good page about filtering show running-config.

http://www.techrepublic.com/article/effectively-filter-cisco-router-command-output/5842782

Using 'show running-config | exclude network-object', filters out the 6k line US-IP object-group perfectly.

0 Helpful

Go to solution
bascheew
Level 1
Level 1
In response to alceryes3

‎04-18-2017 09:27 PM

I know this is an old post, so I apologize for resurrecting it!

Using 'show running-config | exclude network-object', filters out the 6k line US-IP object-group perfectly.

I know the exclude command worked on ASA's, but on IOS I'm finding that "show run | exclude object-group" only removes the name of the object from the config and not the IP's in the object.  Does anyone know how to hide the object-group from the config, because it is several thousand lines long!

0 Helpful

Go to solution
usasigcis
Level 1
Level 1

‎07-07-2013 12:10 PM

is this a http policy?

i wonder if you can use regex to create a class-map > policy-map > service-policy to block the geo-location tags ???

that would be so much cleaner approach and less RAM intensive

0 Helpful

Go to solution
alceryes3
Level 1
Level 1
In response to usasigcis

‎07-07-2013 01:14 PM

It's for an FTP ACL. I am only allowing US IP's through to my FTP site. That definitely sounds more efficient. How would I set it up?

0 Helpful

Go to solution
Jordan Dalley
Level 1
Level 1
In response to alceryes3

‎05-21-2020 05:53 PM - edited ‎05-21-2020 05:55 PM

I actually made this site up, because I didn't want to pay countryipblocks.net for aggregation https://geoblocks.dalleyfamily.net/

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card