Theo như thông tin từ công văn số 1024/CATTT-VNCERT về việc rà quét, xử lý bóc gở mã độc chiến dịch tấn công mạng có chủ đích của hơn 400.000 ip nước ngoài tấn công vào Việt Nam. Hôm nay tôi sẽ hướng dẫn các bạn tạo chính sách khóa toàn bộ danh sách IP trên tường lửa cisco ASA 5525-x nhé (Một số tường lửa khác thì có lệnh khác nhé : fortigate, Sophos…).
Tôi có làm 1 bảng excel lập danh sách IP cần block như sau: download tại đây
Cách 1 Thực hiện câu lệnh trên console của CISCO ASA:
Tạo đối tượng IP
---------------------------------------------------------
--CREATE BY IT SHARE NVP-Viettechgroup.vn
--DATE: 2019-10-31
--Hướng dẫn tạo danh sách Block IP CC theo CV 1024/ATTT-VNCERT
--Catalogies: Lab Cisco ASA
---------------------------------------------------------
Lệnh tạo đối tượng IP:
conf t
object network OBJ-CC-58.158.177.102
host 58.158.177.102
description OBJ-CC-58.158.177.102
object network OBJ-CC-156.230.21.30
host 156.230.21.30
description OBJ-CC-156.230.21.30
object network OBJ-CC-50.63.202.70
host 50.63.202.70
description OBJ-CC-50.63.202.70
object network OBJ-CC-50.63.202.79
host 50.63.202.79
description OBJ-CC-50.63.202.79
object network OBJ-CC-45.32.50.150
host 45.32.50.150
description OBJ-CC-45.32.50.150
object network OBJ-CC-167.88.180.15
host 167.88.180.15
description OBJ-CC-167.88.180.15
object network OBJ-CC-167.88.178.24
host 167.88.178.24
description OBJ-CC-167.88.178.24
object network OBJ-CC-43.254.217.67
host 43.254.217.67
description OBJ-CC-43.254.217.67
object network OBJ-CC-154.221.24.47
host 154.221.24.47
description OBJ-CC-154.221.24.47
object network OBJ-CC-144.202.54.86
host 144.202.54.86
description OBJ-CC-144.202.54.86
object network OBJ-CC-50.63.202.94
host 50.63.202.94
description OBJ-CC-50.63.202.94
object network OBJ-CC-50.63.202.67
host 50.63.202.67
description OBJ-CC-50.63.202.67
object network OBJ-CC-50.63.202.82
host 50.63.202.82
description OBJ-CC-50.63.202.82
object network OBJ-CC-184.168.221.94
host 184.168.221.94
description OBJ-CC-184.168.221.94
object network OBJ-CC-184.168.221.82
host 184.168.221.82
description OBJ-CC-184.168.221.82
object network OBJ-CC-184.168.221.71
host 184.168.221.71
description OBJ-CC-184.168.221.71
object network OBJ-CC-50.63.202.73
host 50.63.202.73
description OBJ-CC-50.63.202.73
object network OBJ-CC-207.148.12.47
host 207.148.12.47
description OBJ-CC-207.148.12.47
object network OBJ-CC-149.28.74.41
host 149.28.74.41
description OBJ-CC-149.28.74.41
object network OBJ-CC-207.148.78.101
host 207.148.78.101
description OBJ-CC-207.148.78.101
object network OBJ-CC-149.28.74.149
host 149.28.74.149
description OBJ-CC-149.28.74.149
object network OBJ-CC-50.63.202.59
host 50.63.202.59
description OBJ-CC-50.63.202.59
object network OBJ-CC-198.54.117.200
host 198.54.117.200
description OBJ-CC-198.54.117.200
object network OBJ-CC-198.54.117.199
host 198.54.117.199
description OBJ-CC-198.54.117.199
object network OBJ-CC-198.54.117.197
host 198.54.117.197
description OBJ-CC-198.54.117.197
object network OBJ-CC-198.54.117.198
host 198.54.117.198
description OBJ-CC-198.54.117.198
object network OBJ-CC-162.255.119.150
host 162.255.119.150
description OBJ-CC-162.255.119.150
object network OBJ-CC-167.88.180.148
host 167.88.180.148
description OBJ-CC-167.88.180.148
object network OBJ-CC-167.88.177.224
host 167.88.177.224
description OBJ-CC-167.88.177.224
object network OBJ-CC-167.88.180.3
host 167.88.180.3
description OBJ-CC-167.88.180.3
object network OBJ-CC-45.248.87.14
host 45.248.87.14
description OBJ-CC-45.248.87.14
object network OBJ-CC-91.195.240.117
host 91.195.240.117
description OBJ-CC-91.195.240.117
object network OBJ-CC-103.224.182.250
host 103.224.182.250
description OBJ-CC-103.224.182.250
object network OBJ-CC-185.239.226.19
host 185.239.226.19
description OBJ-CC-185.239.226.19
object network OBJ-CC-45.77.209.52
host 45.77.209.52
description OBJ-CC-45.77.209.52
object network OBJ-CC-167.88.178.118
host 167.88.178.118
description OBJ-CC-167.88.178.118
object network OBJ-CC-185.239.226.61
host 185.239.226.61
description OBJ-CC-185.239.226.61
object network OBJ-CC-45.77.184.12
host 45.77.184.12
description OBJ-CC-45.77.184.12
Tạo nhóm group object-group network tên G_Deny
object-group network G_Deny
network-object object OBJ-CC-58.158.177.102
network-object object OBJ-CC-156.230.21.30
network-object object OBJ-CC-50.63.202.70
network-object object OBJ-CC-50.63.202.79
network-object object OBJ-CC-45.32.50.150
network-object object OBJ-CC-167.88.180.15
network-object object OBJ-CC-167.88.178.24
network-object object OBJ-CC-43.254.217.67
network-object object OBJ-CC-154.221.24.47
network-object object OBJ-CC-144.202.54.86
network-object object OBJ-CC-50.63.202.94
network-object object OBJ-CC-50.63.202.67
network-object object OBJ-CC-50.63.202.82
network-object object OBJ-CC-184.168.221.94
network-object object OBJ-CC-184.168.221.82
network-object object OBJ-CC-184.168.221.71
network-object object OBJ-CC-50.63.202.73
network-object object OBJ-CC-207.148.12.47
network-object object OBJ-CC-149.28.74.41
network-object object OBJ-CC-207.148.78.101
network-object object OBJ-CC-149.28.74.149
network-object object OBJ-CC-50.63.202.59
network-object object OBJ-CC-198.54.117.200
network-object object OBJ-CC-198.54.117.199
network-object object OBJ-CC-198.54.117.197
network-object object OBJ-CC-198.54.117.198
network-object object OBJ-CC-162.255.119.150
network-object object OBJ-CC-167.88.180.148
network-object object OBJ-CC-167.88.177.224
network-object object OBJ-CC-167.88.180.3
network-object object OBJ-CC-45.248.87.14
network-object object OBJ-CC-91.195.240.117
network-object object OBJ-CC-103.224.182.250
network-object object OBJ-CC-185.239.226.19
network-object object OBJ-CC-45.77.209.52
network-object object OBJ-CC-167.88.178.118
network-object object OBJ-CC-185.239.226.61
network-object object OBJ-CC-45.77.184.12
Tạo policy
Có bao nhiêu WAN kết nối thì tạo bấy nhiêu Policy nhé.
access-list WAN1-ACCESS-IN extended deny ip object-group G_Deny any access-list WAN2-ACCESS-IN extended deny ip object-group G_Deny any access-group WAN1-ACCESS-IN in interface wan1 access-group WAN2-ACCESS-IN in interface wan2
Cách 2 Tạo trên Giao diện Cisco ASDM của ASA
Tạo Đối tượng IP
Vào ASAM->Configuration->Firewall->Objects->Networks Object/Group->Add
Tương tự tạo lần lượt cho các IP khác
Tạo Nhóm đối tượng
Add các đối tượng ip vào nhóm deny
Tạo Policy Access
Chúc các bạn thành công trong cơn mùa lũ !!!