cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8823
Views
0
Helpful
11
Replies

Blocking out Countries with ACL

dialtelusa
Level 1
Level 1

I have been getting attacked from Amsterdam and Australia.... I want to create an access-list but have a basic question as the cisco docs dont completely make sense to me...

First off it says that all access-lists must end with a deny statement... The reason that confuses me is because I want to allow ALL traffic to pass through except huge IP ranges...

So I would literally just issue multiple deny statements such as

deny XXX.XXX

deny XXX.XXX

deny XXX.XXX

deny XXX.XXX

deny XXX.XXX

deny XXX.XXX

permit all

deny all

I know I am not using correct syntax but my point is that if I issue multiple deny statements followed by a permit all statement that it would block out all these IP address blocks and then permit the rest of the traffic in... If I end with a deny statement I just figure that because it goes in order that the deny statement really makes no sense because the previous permit all statement would allow all traffic to pass.

The fact that there is a permit all statement makes me wonder why a deny statement has to end the ACL. Because does not the permit statement in effect rule out the possibility the deny statement could ever be parsed?

The only other concern I have is that I so far have 32 entire IP blocks from Amsterdam and Australia. I could use IPdeny.com to get a fuller list but would it be better and simpler to just block out the entire range such as XXX.0.0.0 rather than having 300 entries for all teh subnets within that range?

I suppose one might say they could belong to another country but on ARIN who IS it conflicted the information on ipdeny.com because every IP address I entered showed ownership as the entire IP range and not a more filtered subnet of a range. So I was thinking that would be easier..

5 Accepted Solutions

Accepted Solutions

Hello Erik,

Your concept about the ACL is correct, since there is a permit all statement then there is no point in having a deny all statement at the bottm of the ACL.

coming back to your scenario,  Do you have some servers in your network which needs to be access by user from internet ? if yes then you can go ahead and configure zone based firewall on your router ( it depends on which IOS you are running)

If you have an ASA in the permeter you do not need to worry, only permit the communicatin towards that server.

If you dont have any server as above, then you have use zone based firewall so that it make sure that only inside to outside communication is allowed. Please find the below link for more information about zone based security on cisco routers.

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

Hope this helps

Regards

Please rate all helpful posts!

View solution in original post

kcnajaf
Level 7
Level 7

HI Scanlan,

For all ACL there is a deny all at the end of all rule. This is called as Implicit Deny. This means you don't have to type in deny any any at the end and by default everything will be denied other than what is specified above that statement.

Also it doesn't make any sense  to put a deny all below permit all because with permit all you are effectively allowing all traffic.

As you have mentioned above permit all in your above statement will deny all the traffic which you have mentioned above the permit all and permit all other traffic.

Im not sure if the 32 IP block your refering to is a continous network ranges? If you block the entire network please be aware you will not have accessability to any other website which comes under network.

Another option you could try is NBAR if your router supports that.

Regards

Najaf

View solution in original post

Hi Erick,

7200 is a CEF router. So if you increase the numebr of access-list entries to 300, it wi l put more load on the CPU. So it  will be good to block in range. But please make sure that you are not blockign legitimate traffic

View solution in original post

yes Erik. It is not a good idea to put a 1000 line ACL on the interface especially on a CEF router.

Blocking in ranges will be better till you implement an altternate security solution.

View solution in original post

Hi Eirk,

I'm not sure about whether two countries share the same beginning 3 digits :-(

Out of curiosity what sort of attach are you seeing from these ips? Can this not blocked by ports rather than ips?

Regards

Najaf

View solution in original post

11 Replies 11

Hello Erik,

Your concept about the ACL is correct, since there is a permit all statement then there is no point in having a deny all statement at the bottm of the ACL.

coming back to your scenario,  Do you have some servers in your network which needs to be access by user from internet ? if yes then you can go ahead and configure zone based firewall on your router ( it depends on which IOS you are running)

If you have an ASA in the permeter you do not need to worry, only permit the communicatin towards that server.

If you dont have any server as above, then you have use zone based firewall so that it make sure that only inside to outside communication is allowed. Please find the below link for more information about zone based security on cisco routers.

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

Hope this helps

Regards

Please rate all helpful posts!

I have a Cisco7200 in a data center. I do SIP Termination so our internal servers communicate out to carriers. I want to block entire IP ranges such as 250.0.0.0 0.0.0.255. I have 32 so far total that are attacking me from hundreds of addresses that fall under the 32 main blocks. Rather than adding individual addresses I want to instead add the whole range because they seem to all belong to the same country. We just have a router with 28 useable IP connected to a switch and then servers. I am not sure which version IOS but I was hoping the ACL I outlined would block all incoming attempts regardless of protocol.

Hi Erick,

7200 is a CEF router. So if you increase the numebr of access-list entries to 300, it wi l put more load on the CPU. So it  will be good to block in range. But please make sure that you are not blockign legitimate traffic

yes you are correct. CEF language I am more familiar hearing now. So this is good information from you. Does this mean you are saying what I was thinking.... That it would be better to block out say 255.0.0.0 0.0.0.255 rather than blocking out 50 entries within that block? It is not an issue for me to block that way to be honest. I eventually will get a VPN Router and then make all my servers internal. But for now I want to use ACL to quickly address the issue. I should not go above 100 entries and I will monitor the CPU. Please let me know in your professional opinion if yoh agree?

yes Erik. It is not a good idea to put a 1000 line ACL on the interface especially on a CEF router.

Blocking in ranges will be better till you implement an altternate security solution.

rajs2 schrieb:

Hi Erick,

7200 is a CEF router. So if you increase the numebr of access-list entries to 300, it wi l put more load on the CPU. So it  will be good to block in range. But please make sure that you are not blockign legitimate traffic

Hi,

could you elaborate on that? Where does the 300 come from? As far as I know there is no load increase on the cpu as long as you actually do CEF switching.

Regards

Pille

Raju Sekharan
Cisco Employee
Cisco Employee

You don't need to put the deny all statement at the end. Anyways ACLs wsill have an implicit deny at the end

you have to decide which range you want to block. you may be able to club multiple subnets

There are multiple ways to harden your router

Check the below link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

kcnajaf
Level 7
Level 7

HI Scanlan,

For all ACL there is a deny all at the end of all rule. This is called as Implicit Deny. This means you don't have to type in deny any any at the end and by default everything will be denied other than what is specified above that statement.

Also it doesn't make any sense  to put a deny all below permit all because with permit all you are effectively allowing all traffic.

As you have mentioned above permit all in your above statement will deny all the traffic which you have mentioned above the permit all and permit all other traffic.

Im not sure if the 32 IP block your refering to is a continous network ranges? If you block the entire network please be aware you will not have accessability to any other website which comes under network.

Another option you could try is NBAR if your router supports that.

Regards

Najaf

actually it is coincidence that I have compiled 32 so far. These are 32 ip addresses which I have decided to block out he whole range based on ownership being from a country I want to permanently block. So it would be such as 250.0.0.0 0.0.0.255 and I have 32 of those. My concern is that too many deny statements before a permit statement will put a large load on the router. My list could be hundreds or thousands long if I were to use lists from denyip.com. So I figured just putting the full range from that country would be less load. Also I am assuming that if lets say 201.x.x.x is amsterdam then blocking 201.0.0.0 would affect amsterdam only. Another words I assume that no two countries share the same beginning 3 digits... I could be wrong I suppose but that is my assumption of how IP addressing would have been provisioned...

Hi Eirk,

I'm not sure about whether two countries share the same beginning 3 digits :-(

Out of curiosity what sort of attach are you seeing from these ips? Can this not blocked by ports rather than ips?

Regards

Najaf

That is a great idea. I am not sure but 2I will see if there is a trend. If they can just change ports then I will have to do by IP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: