Creating a country ACL

Answered Question
Jul 4th, 2013
User Badges:

ASA 5505 Sec Plus 9.0 OS

I want to create a country ACL that allows only US IP's through my firewall for certain ports. The problem is that the most up-to-date US IP list I can find contains 46000 lines! Even though some of these entries can be combined into larger blocks many of them can't because of just a few IP's (relatively) belonging to other countries. Even if I just use the /8 and /16 subnets that's still about 5800 network-object entries for the object-group.


Can I even have an object-group with 5800 entries? Would that slow down my ASA? Is there an easier way to do this?


TIA!

Correct Answer by Rick Morris about 4 years 1 month ago

The short answer is yes, but will you notice, maybe but I don't think it will hinder it too much.  To go through all the lines and find the match will require some CPU headroom.  I would add half of them and check the CPU.  Then add the rest and see what happens.  My guess, you should be fine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Rick Morris Thu, 07/04/2013 - 10:51
User Badges:
  • Silver, 250 points or more

Blocking traffic with an ACL on the ASA could become very labor intensive.  One thing I have seen is third party products that can accomplish the same thing.  Here is one after a quick search that I was able to find.

https://www.countryipblocks.net/

alceryes3 Thu, 07/04/2013 - 11:02
User Badges:

Thx.

Yeah, that's actually where I got the 46000 line network-object list from. I don't want to add any more costs to my setup since it's just my home/dev environment. Do you think it would slow down my ASA if I had a 5800 object object-group in my ACL's?

Correct Answer
Rick Morris Thu, 07/04/2013 - 11:09
User Badges:
  • Silver, 250 points or more

The short answer is yes, but will you notice, maybe but I don't think it will hinder it too much.  To go through all the lines and find the match will require some CPU headroom.  I would add half of them and check the CPU.  Then add the rest and see what happens.  My guess, you should be fine.

alceryes3 Thu, 07/04/2013 - 11:46
User Badges:

Thx Rick,

I was actually 10 minutes into my ASA accepting the 46000 network-objects from a copy-paste when I thought it may be a bit too much  .

I went ahead and entered the 5800 line /8 and /16 objects and will monitor performance.


As a side question. How do I skip a certain section when doing a show run, show access-list, or show object-group? Ideally, I want to skip that object group just created.



Edit - Using about 30MB more memory from the start. No difference in CPU.

I think this will work perfectly as my ASA isn't really doing much most of the time (except for when my FTP site gets intermittently slammed by reverse brute-force attacks from several different countries). I know it's the norm in this day and age but it still bothered me...problem solved  .

Rick Morris Thu, 07/04/2013 - 21:14
User Badges:
  • Silver, 250 points or more

Depending on how you have the ACL set up you may have to use a filter.


For instance, when you do a show run and it stops at the first page type a / , yes a forward slash and then the statement.


ASA#sh run


/object xyz  <---this is not a very easy command to use since it just filters and stops at the first instance.


Another option is to do a show access-list | b line 1001  This will drop the show access-list to the specific line to start at and show the rest of the lines afterward as if you were going line by line.


I am not aware of any other way.

bascheew Tue, 04/18/2017 - 21:27
User Badges:

I know this is an old post, so I apologize for resurrecting it!

Using 'show running-config | exclude network-object', filters out the 6k line US-IP object-group perfectly.

I know the exclude command worked on ASA's, but on IOS I'm finding that "show run | exclude object-group" only removes the name of the object from the config and not the IP's in the object.  Does anyone know how to hide the object-group from the config, because it is several thousand lines long!

usasigcis Sun, 07/07/2013 - 12:10
User Badges:

is this a http policy?

i wonder if you can use regex to create a class-map > policy-map > service-policy to block the geo-location tags ???

that would be so much cleaner approach and less RAM intensive

alceryes3 Sun, 07/07/2013 - 13:14
User Badges:

It's for an FTP ACL. I am only allowing US IP's through to my FTP site. That definitely sounds more efficient. How would I set it up?

Actions

This Discussion