Filtering by country code

PWCSinfosec · ‎10-15-2009

I have been tasked with configuring acl's to block a number of countries from accessing a particular site.

Is there a way in the asa to filter by country code?

If not, I am planning on creating a network object group for these ip addresses. This object group will contain a large number of ip ranges, is there a max number of entries one network object group can contain?

Or has anyone had experience doing this and have a better way to implement this type of config?

Panos Kampanakis · ‎10-15-2009

On line you can find country code range of ip addresses. Then you can block them with a ACL. Looking up online for "block ip address by country" will give you site that provide the ip addresses.

Then as you said you can use object groups in ACLs to block.

There is no limitation for the object group sizes. The only limitation depends on the firewall specs and has to do with the maximum ACL sizes.

Hope it helps.

PK

PWCSinfosec · ‎10-15-2009

What is the maximum acl size for an asa5540?

Jerry Ye · ‎10-15-2009

There is no hard limit for the ASA. It depend on how much ACE (Access Control Entry) and memory on the box. ACE are calculated like this if you are using object group, let's say you have object group for source hosts, and destination hosts on a single ACL

access-list TEST perm ip object-group SOURCE object-group DESTINATION

source = 10 hosts

destination = 10 hosts

then the ACE will be

10 x 10 = 100 ACE

To find out how many ACE you have, you can use the command

show access-list xxxx | i element

HTH,

jerry