How to add a drop rule to a Cisco ASA
The syntax for adding a rule in an ASA device to deny traffic for a group of IPs, i.e. a Blocklist is as follows:
SSH to the Cisco as usual and enter enable mode and configure terminal mode:
enter the password
Now that you are elevated and in configuration mode, use the following to generate a new group:
#object-group network DenyIP
DenyIP is simply the name I use for the group.
Now we will add an IP to this list with:
#network-object host 18.104.22.168
We've just added the IP 22.214.171.124 to the object group "DenyIP"
Now that we have a list to add IPs to, we can create a rule that will deny traffic to anything on this list:
#access-list outside_access_in extended deny IP object-group DenyIP
That's it. If this is a preexisting Cisco, you may need to make sure this rule is above the rest. You can do that with:
"no access-list outside_access_in extended deny ip object-group DenyIP"
This will nuke the rule you just created. Now let's do that again, but put it up top:
#access-list outside_access_in line 2 extended deny ip object-group DenyIP
This will create that ACL and place it in line2. Line 1 is usually the rule for support access. Just use the appropriate line number and make sure the Deny rule is in place before any allow all type rules.
Do not forget to save your work!
For the new more current Ciscos, the outside/ inside syntax is now Public/ Private. Basically, so a sh ru to see the configuration that you need to follow. Or a sh ver to see the version of IOS on the device.