non-North America subnets?

[Cooky]

We've been tasked to block all incoming access requests that originate from non-North American IP's.
So we have a list of all subnets from all the RIR's, except ARIN.
Issue is the list contains hundreds, if not thousands of entries.
A lot of them can be summarized, but it would require manual work.

Does anyone know of a good & easy way to achieve this?

TIA

 

[dave_the_nerd]

Do you have a whitelist option? If you can block everything but these lists here:

http://www.nirsoft.net/countryip/

Then you can copy/paste and/or download the CSVs.

I'm assuming you'd want US, Mexico, Canada, Haiti, Virgin Islands, etc. So a couple files.

You're asking for proxy abuse though.

 

[Cooky]

Thanks for the reply, but I don't think a whitelist option is available on ASA.
Compiling a list that contains thousands of entries and dump them onto ACL's is just too much overhead.

To clarify, we need to block access from non-N. America to our web servers, not blocking our end users from accessing websites.

 

[JackMDS]

I do not know how you get your Internet services, but options like this are available.

Otherwise:

http://www.nirsoft.net/countryip/

http://www.ip2location.com/free/visitor-blocker

http://www.ipdeny.com/ipblocks/



😎

 

[John Connor]

A DD-WRT flashed router capable of Optware can achive this. I am still, however trying to figure out how to use Asia block in Optware.

 

[imagoon]

For ASA I would use object groups and network objects for this then link the object in to the ACL's in question. From there update the object where it is needed. Once the object is referenced you can update it as needed and it will update all ACL's it is referenced in.

 

[lif_andi]

Not sure, but wouldn't it be easier to just allow North-American subnets and deny rest with the implicit deny ?

Think Jack´s method is easiest though, and most sensible actually. Have your ISP block them for you.