The syntax for adding a rule in an ASA device to deny traffic for a group of IPs, i.e. a Blocklist is as follows:
SSH to the Cisco as usual and enter enable mode and configure terminal mode:
$en
enter the password
$conf t
#
Now that you are elevated and in configuration mode, use the following to generate a new group:
#object-group network DenyIP
DenyIP is simply the name I use for the group.
Now we will add an IP to this list with:
#network-object host 1.2.3.4
We've just added the IP 1.2.3.4 to the object group "DenyIP"
Now that we have a list to add IPs to, we can create a rule that will deny traffic to anything on this list:
#access-list outside_access_in extended deny IP object-group DenyIP
That's it. If this is a preexisting Cisco, you may need to make sure this rule is above the rest. You can do that with:
"no access-list outside_access_in extended deny ip object-group DenyIP"
This will nuke the rule you just created. Now let's do that again, but put it up top:
#access-list outside_access_in line 2 extended deny ip object-group DenyIP
This will create that ACL and place it in line2. Line 1 is usually the rule for support access. Just use the appropriate line number and make sure the Deny rule is in place before any allow all type rules.
#wr mem
Do not forget to save your work!
For the new more current Ciscos, the outside/ inside syntax is now Public/ Private. Basically, so a sh ru to see the configuration that you need to follow. Or a sh ver to see the version of IOS on the device.