Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Filtering by country code

I have been tasked with configuring acl's to block a number of countries from accessing a particular site.

Is there a way in the asa to filter by country code?

If not, I am planning on creating a network object group for these ip addresses. This object group will contain a large number of ip ranges, is there a max number of entries one network object group can contain?

Or has anyone had experience doing this and have a better way to implement this type of config?

Cisco Employee

Re: Filtering by country code

On line you can find country code range of ip addresses. Then you can block them with a ACL. Looking up online for "block ip address by country" will give you site that provide the ip addresses.

Then as you said you can use object groups in ACLs to block.

There is no limitation for the object group sizes. The only limitation depends on the firewall specs and has to do with the maximum ACL sizes.

Hope it helps.


New Member

Re: Filtering by country code

What is the maximum acl size for an asa5540?

Cisco Employee

Re: Filtering by country code

There is no hard limit for the ASA. It depend on how much ACE (Access Control Entry) and memory on the box. ACE are calculated like this if you are using object group, let's say you have object group for source hosts, and destination hosts on a single ACL

access-list TEST perm ip object-group SOURCE object-group DESTINATION

source = 10 hosts

destination = 10 hosts

then the ACE will be

10 x 10 = 100 ACE

To find out how many ACE you have, you can use the command

show access-list xxxx | i element



CreatePlease to create content