Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Restricting Inbound Access on ASA5540

I have a customer that wants to restrict inbound access from the internet to their webservers to only North American traffic. They have indicated that they have a list of 40,000 IPs that they want to explicitly allow. They would like this restricted access to be provided by the ASA. The IPs are not contiguous. I can't see how this could possibly be done via access-lists that would not kill the box. Any suggestions?

Thanks in advance.

4 REPLIES
Bronze

Re: Restricting Inbound Access on ASA5540

Blocking by country is the one of the most inefficient ways to restrict access to your configuration. The device will still have to compare all new incoming connections to this access-list which will likely affect the performance of the device.

40,000 IPs/network ranges seems excessive for US IPs...perhaps you could allow only ARIN IP ranges?

https://www.arin.net/knowledge/ip_blocks.html

Silver

Re: Restricting Inbound Access on ASA5540

It depends on the ASA platform. Every ACE will require memory space. There is also the lookup time required for the ACL checks that again, will depend on the platform for their speed.

New Member

Re: Restricting Inbound Access on ASA5540

Deny based on ip address does not seems to be a good solution as it will eat all the resources on the ASA, you should find some other way of blocking the traffic.

My sugestion would be use an external authentication server and restrict the noumber of connections to the weebserver on asa to 40,000 and provide a username and password to the users.

New Member

Re: Restricting Inbound Access on ASA5540

Explain to your customer how simple it is to spoof a source IP address and weigh that against the complexity and performance effects of a monstrous ACL.

127
Views
0
Helpful
4
Replies
CreatePlease to create content