Loading

Friday, July 24, 2009

Cisco PIX/ASA Restrict Foreign & RFC1918 IP Ranges

object-group network APNIC
network-object 43.0.0.0 255.0.0.0
network-object 58.0.0.0 254.0.0.0
network-object 60.0.0.0 254.0.0.0
network-object 114.0.0.0 254.0.0.0
network-object 116.0.0.0 252.0.0.0
network-object 120.0.0.0 252.0.0.0
network-object 124.0.0.0 254.0.0.0
network-object 126.0.0.0 255.0.0.0
network-object 169.208.0.0 255.240.0.0
network-object 202.0.0.0 254.0.0.0
network-object 210.0.0.0 254.0.0.0
network-object 218.0.0.0 254.0.0.0
network-object 220.0.0.0 254.0.0.0
network-object 222.0.0.0 254.0.0.0

object-group network AFRINIC
network-object 41.0.0.0 255.0.0.0
network-object 196.0.0.0 255.0.0.0
network-object 168.142.0.0 255.255.0.0

object-group network LACNIC
network-object 189.0.0.0 255.0.0.0
network-object 190.0.0.0 255.0.0.0
network-object 200.0.0.0 254.0.0.0

object-group network RIPE
network-object 81.0.0.0 255.0.0.0
network-object 91.0.0.0 255.0.0.0

object-group network RFC_1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 224.0.0.0 240.0.0.0
network-object 240.0.0.0 240.0.0.0

object-group network DISALLOWED_IP
group-object APNIC
group-object LACNIC
group-object AFRINIC
group-object RFC_1918
group-object RIPE


access-list OAI remark OAI stands for Outside Access In
access-list OAI line 1 remark DENY ALL FOREIGN IP RANGES
access-list OAI line 2 extended deny ip object-group DISALLOWED_IP any

1 comment:

  1. Your methodology is great! thank you for this! However, your subnets are out of date. I'm in the process of writing a ksh script that will pull from countryipblock.com by region and spit out what you have here. Let you know how it goes. If you already have something like this please let me know.

    Thanks again!

    ReplyDelete