Cisco ASA Microsoft Updates Sources List – 2020 List

If you need to filter egress traffic on your ASA and one of the requirements is to have access to update.microsoft to pull all necessary updates this object-group might be useful.

Been working on this list based on TCP Dump Resets and verifying ARIN for the sources(US based).

Thought I will share my findings:

Updated: 2/14/2020

object-group network UPDATES_MICROSOFT_POOL_GRP
network-object 65.52.0.0 255.252.0.0
network-object 70.37.0.0 255.255.128.0
network-object 70.37.128.0 255.255.192.0
network-object 94.245.64.0 255.255.192.0
network-object 111.221.16.0 255.255.240.0
network-object 111.221.64.0 255.255.192.0
network-object 132.245.0.0 255.255.0.0
network-object 157.54.0.0 255.254.0.0
network-object 157.56.0.0 255.252.0.0
network-object 157.60.0.0 255.255.0.0
network-object 207.46.0.0 255.255.0.0
network-object 207.68.128.0 255.255.192.0
network-object 213.199.128.0 255.255.192.0
network-object 134.170.0.0 255.255.0.0
network-object 13.104.0.0 255.252.0.0
network-object 13.64.0.0 255.224.0.0
network-object 13.96.0.0 255.248.0.0
network-object 91.190.216.0 255.255.248.0
network-object 104.40.0.0 255.248.0.0
network-object 104.146.0.0 255.254.0.0
network-object 104.208.0.0 255.248.0.0
network-object 104.64.0.0 255.192.0.0
network-object 23.96.0.0 255.248.0.0
network-object 184.50.0.0 255.254.0.0
network-object 23.32.0.0 255.224.0.0
network-object 23.64.0.0 255.252.0.0
network-object host 40.90.137.120
network-object host 51.143.106.177
network-object host 40.90.137.127
network-object host 40.90.23.206
network-object host 184.50.238.34
network-object host 184.50.238.48
network-object host 8.248.51.254
network-object host 8.249.117.254
network-object host 8.252.9.254
network-object host 8.253.110.107
network-object host 20.45.1.107
network-object host 23.2.87.17
network-object host 67.26.217.254
network-object host 72.21.91.29
network-object host 184.50.238.34
network-object host 184.50.238.48
network-object host 205.185.216.10
network-object host 205.185.216.42
network-object host 72.21.81.240
network-object host 52.167.18.95
network-object host 72.21.81.200
network-object host 204.79.197.200
network-object host 40.91.122.234
network-object host 40.69.216.129
network-object host 40.90.23.208
network-object host 40.90.23.153
network-object host 40.69.216.129
network-object host 40.90.23.153
network-object host 40.91.76.238
network-object host 151.139.128.14
network-object host 23.192.56.94
network-object 40.74.0.0 255.254.0.0
network-object 40.76.0.0 255.252.0.0
network-object 40.80.0.0 255.240.0.0
network-object 40.96.0.0 255.240.0.0
network-object 40.112.0.0 255.248.0.0
network-object 40.120.0.0 255.252.0.0
network-object 40.124.0.0 255.255.0.0
network-object 40.125.0.0 255.255.128.0
network-object 52.145.0.0 255.255.0.0
network-object 52.146.0.0 255.254.0.0
network-object 52.148.0.0 255.252.0.0
network-object 52.152.0.0 255.248.0.0
network-object 52.160.0.0 255.224.0.0
network-object 64.4.0.0 255.255.192.0

Of course you’ll need to apply it on the correct interface in/out. ┬áPlease note this is for reference purpose only. Not taking any responsibility.

Your other options are to use WSUS proxy or open egress to any over 443 and 80.

If there are any other ranges that you are aware of(US based) please let me know.

PS. There is also another way. You can point to FQDN destination but its tricky because you need to ensure that your under same DNS pointers. Not bullet proof but..

Example below:

object network MICROSOFT_UPDATES_FQDN
fqdn v4 www.update.microsoft.com

dns domain-lookup outside
DNS server-group DefaultDNS
name-server 8.8.8.8

access-list dmz-in line 6 extended permit tcp object inside object MICROSOFT_UPDATES_FQDN eq https
access-list dmz-in line 6 extended permit tcp object inside object MICROSOFT_UPDATES_FQDN eq 80

sh dns
Name: www.update.microsoft.com
Address: 40.90.247.210 TTL 00:02:21
Address: 20.45.1.107 TTL 00:02:38
Address: 13.64.25.102 TTL 00:02:38

Regards,
Bart

Add a Comment

Your email address will not be published. Required fields are marked *