Cisco ASA Microsoft Updates Sources List

If you need to filter egress traffic on your ASA and one of the requirements is to have access to update.microsoft to pull all necessary updates this object-group might be useful.

Been working on this list based on TCP Dump Resets and verifying ARIN for the sources(US based).

Thought I will share my findings:

Updated: 7/25/18

object-group network UPDATES_MICROSOFT_POOL_GRP
network-object 65.52.0.0 255.252.0.0
network-object 70.37.0.0 255.255.128.0
network-object 70.37.128.0 255.255.192.0
network-object 94.245.64.0 255.255.192.0
network-object 111.221.16.0 255.255.240.0
network-object 111.221.64.0 255.255.192.0
network-object 132.245.0.0 255.255.0.0
network-object 157.54.0.0 255.254.0.0
network-object 157.56.0.0 255.252.0.0
network-object 157.60.0.0 255.255.0.0
network-object 207.46.0.0 255.255.0.0
network-object 207.68.128.0 255.255.192.0
network-object 213.199.128.0 255.255.192.0
network-object 134.170.0.0 255.255.0.0
network-object 13.104.0.0 255.252.0.0
network-object 13.64.0.0 255.224.0.0
network-object 13.96.0.0 255.248.0.0
network-object 91.190.216.0 255.255.248.0
network-object 104.40.0.0 255.248.0.0
network-object 104.146.0.0 255.254.0.0
network-object 104.208.0.0 255.248.0.0
network-object 104.64.0.0 255.192.0.0
network-object 23.96.0.0 255.248.0.0
network-object 184.50.0.0 255.254.0.0
network-object 23.32.0.0 255.224.0.0
network-object 23.64.0.0 255.252.0.0

Of course you’ll need to apply it on the correct interface in/out. ¬†Please note this is for reference purpose only. Not taking any responsibility.

Your other options are to use WSUS proxy or open egress to any over 443 and 80.

If there are any other ranges that you are aware of(US based) please let me know.

Regards,
Bart

Add a Comment

Your email address will not be published. Required fields are marked *