non-North America subnets?

Cooky

Golden Member
Apr 2, 2002
1,408
0
76
We've been tasked to block all incoming access requests that originate from non-North American IP's.
So we have a list of all subnets from all the RIR's, except ARIN.
Issue is the list contains hundreds, if not thousands of entries.
A lot of them can be summarized, but it would require manual work.

Does anyone know of a good & easy way to achieve this?

TIA
 
Feb 25, 2011
16,907
1,551
126
Do you have a whitelist option? If you can block everything but these lists here:

http://www.nirsoft.net/countryip/

Then you can copy/paste and/or download the CSVs.

I'm assuming you'd want US, Mexico, Canada, Haiti, Virgin Islands, etc. So a couple files.

You're asking for proxy abuse though.
 

Cooky

Golden Member
Apr 2, 2002
1,408
0
76
Thanks for the reply, but I don't think a whitelist option is available on ASA.
Compiling a list that contains thousands of entries and dump them onto ACL's is just too much overhead.

To clarify, we need to block access from non-N. America to our web servers, not blocking our end users from accessing websites.
 

John Connor

Lifer
Nov 30, 2012
22,757
617
121
A DD-WRT flashed router capable of Optware can achive this. I am still, however trying to figure out how to use Asia block in Optware.
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
For ASA I would use object groups and network objects for this then link the object in to the ACL's in question. From there update the object where it is needed. Once the object is referenced you can update it as needed and it will update all ACL's it is referenced in.
 

lif_andi

Member
Apr 15, 2013
173
0
0
Not sure, but wouldn't it be easier to just allow North-American subnets and deny rest with the implicit deny ?

Think Jack´s method is easiest though, and most sensible actually. Have your ISP block them for you.