Professional Documents
Culture Documents
Cisco ASA Block Countries by IP Block
Cisco ASA Block Countries by IP Block
Cisco ASA Block Countries by IP Block
IP blocks are assigned to. I'm assuming that these haven't changed much,
but I'm not positive. I would assume that these wouldn't get reassigned too
often. These commands are for my PIX. I'm not familiar with the ASA. The
object-group is real convenient for grouping IP's that you want to treat as
one.
Here we put the object-groups to use by denying them. You can see most of
these I block everything except smtp. We don't host anything onsite that
anyone outside the US needs access too, but we'd still like to receive their
email. APNIC is a different story, I have no reason for any connections from
there, including smtp. Blocking smtp connections from APNIC drastically
reduces spam.
These are good to block too. When I first blocked the private address spaces
from inbound traffic I figured I would not see any hits on these rules. I was
wrong as I'll show you later on.
access-list incoming remark -BR: Private address space may not appear as
source addresses
access-list incoming deny ip 172.16.0.0 255.240.0.0 any
access-list incoming deny ip 10.0.0.0 255.0.0.0 any
access-list incoming deny ip 192.168.0.0 255.255.0.0 any
And of course, unless you have a reason for accepting inbound snmp
requests, it's better to block it.
And the fun part, look at some of the hit counts on these rules. The hit
counts that follow are only for 41 days worth of traffic. Remember for LACNIC
and RIPE we're blocking everything EXCEPT smtp. We offer no services that
anyone would need to connect to other than smtp. Then why all the failed
connections? Exactly, the internet is a very bad place. (The following rules
are the same as the ones above, only in a different view to show hit counts.
Don't re-enter these.)
LACNIC
access-list incoming line 17 deny tcp 200.0.0.0 255.0.0.0 any neq smtp
(hitcnt=499)
RIPE
access-list incoming line 19 deny tcp 212.0.0.0 255.0.0.0 any neq smtp
(hitcnt=784)
access-list incoming line 19 deny tcp 213.0.0.0 255.0.0.0 any neq smtp
(hitcnt=1115)
access-list incoming line 19 deny tcp 217.0.0.0 255.0.0.0 any neq smtp
(hitcnt=770)
access-list incoming line 19 deny tcp 62.0.0.0 255.0.0.0 any neq smtp
(hitcnt=391)
access-list incoming line 19 deny tcp 81.0.0.0 255.0.0.0 any neq smtp
(hitcnt=458)
And as far as APNIC goes, we're not accepting any connections. Look at the
hit counts!
APNIC
access-list incoming line 21 deny ip 61.0.0.0 255.0.0.0 any (hitcnt=39459)
access-list incoming line 21 deny ip 165.133.0.0 255.255.0.0 any (hitcnt=0)
access-list incoming line 21 deny ip 202.0.0.0 255.0.0.0 any (hitcnt=36346)
access-list incoming line 21 deny ip 203.0.0.0 255.0.0.0 any (hitcnt=29488)
access-list incoming line 21 deny ip 210.0.0.0 255.0.0.0 any (hitcnt=19703)
access-list incoming line 21 deny ip 211.0.0.0 255.0.0.0 any (hitcnt=30886)
access-list incoming line 21 deny ip 218.0.0.0 255.0.0.0 any (hitcnt=42285)
access-list incoming line 21 deny ip 219.0.0.0 255.0.0.0 any (hitcnt=19564)
access-list incoming line 21 deny ip 220.0.0.0 255.0.0.0 any (hitcnt=24886)
access-list incoming line 21 deny ip 221.0.0.0 255.0.0.0 any (hitcnt=30955)
access-list incoming line 21 deny ip 222.0.0.0 255.0.0.0 any (hitcnt=66319)
access-list incoming line 21 deny ip 223.0.0.0 255.0.0.0 any (hitcnt=0)
access-list incoming line 21 deny ip 58.0.0.0 255.0.0.0 any (hitcnt=95526)
access-list incoming line 21 deny ip 59.0.0.0 255.0.0.0 any (hitcnt=58371)
access-list incoming line 21 deny ip 60.0.0.0 255.0.0.0 any (hitcnt=27172)
Here are the hit counts for the private address spaces. Not too shabby.