How to block a Countries IP range with a Cisco ASA?

If a gigantic network object group is more to your liking than a gigantic ACL, then I guess that'd be the other option. It's the same level of ugly in the command line and in execution, but it'd make it prettier in ASDM, I suppose.

Be very careful of blanket blocks of countries; I've seen it cause some interesting issues. ("Why can't I get to Windows Update?" "Oh, you're hitting an Indonesian server, and someone blocked all of Asia")


I've created a script where all you have to do is choose an authority and it'll give you the configuration to drop into the ASA. It's incredibly accurate.

regional-asa

You can block or allow a specific region if you want. I'll be updating it soon to do specific countries but now it does authorities like ARIN, RIPE, APNIC, etc.