Restricting Inbound Access on ASA5540

Unanswered Question
Jun 18th, 2009

I have a customer that wants to restrict inbound access from the internet to their webservers to only North American traffic. They have indicated that they have a list of 40,000 IPs that they want to explicitly allow. They would like this restricted access to be provided by the ASA. The IPs are not contiguous. I can't see how this could possibly be done via access-lists that would not kill the box. Any suggestions?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Patrick0711 Thu, 06/18/2009 - 16:12

Blocking by country is the one of the most inefficient ways to restrict access to your configuration. The device will still have to compare all new incoming connections to this access-list which will likely affect the performance of the device.

40,000 IPs/network ranges seems excessive for US IPs...perhaps you could allow only ARIN IP ranges?

plumbis Thu, 06/25/2009 - 19:38

It depends on the ASA platform. Every ACE will require memory space. There is also the lookup time required for the ACL checks that again, will depend on the platform for their speed.

svaish Thu, 06/25/2009 - 21:57

Deny based on ip address does not seems to be a good solution as it will eat all the resources on the ASA, you should find some other way of blocking the traffic.

My sugestion would be use an external authentication server and restrict the noumber of connections to the weebserver on asa to 40,000 and provide a username and password to the users.

kcaskey Fri, 06/26/2009 - 07:56

Explain to your customer how simple it is to spoof a source IP address and weigh that against the complexity and performance effects of a monstrous ACL.


This Discussion