ASA 5505: Blocking IP Using Access Lists Not Functioning

as1610001 · ‎09-17-2013

Hello everyone,

As this is my first post on this forum, I apologize if it is in the wrong section. Here goes:

I am attempting to block country-specific IP ranges using network objects and access lists. I found a website which automatically creates network-objects which contain country specific IP addresses. After I create the network objects, I then use an access list to block those IP addresses specified in the network object.

My problem is the access-lists don't actually seem to be working. I tested this by trying to block a single, known IP address. I created a network object which contains the single address and then created an ACL to deny traffic to/from that network object. Although everything seems to be set up correctly in the ASA, it still allows traffic to/from the "blocked" address. I assume there is something I have missed as far as the configuration is concerned. I can attach my entire config if needed, but here is an example of what I am trying to do:

1. Create the Network Object:

object-group network IPRANGE1

network-object 111.111.111.111 255.255.255.255 (note: this is not the exact IP I am trying to block; it's just an example)

2. Create the ACL:

access-list IPRANGE1_BLOCK extended deny ip object-group IPRANGE1 any

Using the Cisco ASDM web interface, I can see my commands successfully created a network object group which contains the IP address I want to block. I can also see the ACL which tells me my CLI commands were accepted by the ASA. It seems there is something else I need to do in order to get this to work successfully. Using the ASDM monitoring feature, I can see the firweall is allowing traffic to/from the IP address I am trying to block. I would like to point out our firewall is configured with a single, public IP address on the outside interface. If someone could take a look at this and offer any suggestions, I would appreciate it. I know it's something I have (or have not done) correctly on my end; I just cannot figure out what it is! Thank you for your time!

Aaron.

Jouni Forss · ‎09-17-2013

Hi,

Your above mentioned ACL seems to indicate that its purpose is to block connection attempts incoming from the source addresses you specify in the "object-group network IPRANGE1" ?

If this ACL is attached to the WAN interface of the ASA in the direction "in" then it should work.

You also said you want to block your users from connecting to these same networks. For this you would need to add the block statements to the ACL attached to your LAN interface in the direction "in". Naturally in this case you would have to change the "object-group network IPRANGE1" as the destination of the ACL.

I would imagine that your problem is either that

You have not attached the ACLs to the interfaces
You have the source/destination networks in the wrong order considering the direction of the attached interface ACL

You can view the shorter form of the configured ACLs with the command

show run access-list

You can view which ACLs are attached to ASA interface with command

show run access-group

I would imagine there is some missconfiguration that we might find with the above command outputs

- Jouni

as1610001 · ‎09-18-2013

Thank you very much for the response! I have a feeling you are correct; I have not attached these ACL's to any interface. I definitely did not perform anything like this during my initial configuration so I assume it is the problem. I will look into how this is done and will report back.