1. Start > Run > Type mmc and click run
2. In the console select Add/Remove Snap-in from the File menu and click the Add button in the Standalone tab.
3. In the Add Standalone Snap-in dialog box select IP Security Policy Management and click Add
4. In the Select Computer or Domain dialog box select Local Computer and click Finish.
5. Now just close the Add Standalone Snap-in and Add/Remove Snap-in dialog boxes by clicking the Close and OK buttons respectively.
6. You should now be back to the console. In the left frame right click IP Security Policies on Local Computer and select Create IP Security Policy.
7. Click Next and in the Name textbox give the policy a descriptive name. The Description textbox is optional.
8. Click Next, leave Activate the default response rule checkbox ticked and click Next again.
9. Leave the Edit Properties checkbox ticked and click Finish.
10. The Properties dialog box should be open now. Click Add button and click Next in the wizard.
11. Leave This rule does not specify a tunnel selected and click Next.
12. Leave All network connections selected and click Next.
13. You should now see the IP Filter List step of the wizard. You need to create a new filter, so don’t select any of the default ones, just click Add.
14. Type a descriptive name for the filter list. The Description textbox is optional.
15. Click Add again to start yet another wizard that will create a filter and add it to the list. Click Next.
16. Leave the IP Traffic Source to My IP Address and click Next.
17. For the IP Traffic Destination you could choose A specific IP Address or A specific IP Subnet to block an IP address or a range of IP address.
18. Enter the IP address you would like to block and the Subnet mask if you selected A specific IP Subnet. Then click Next.
19. Leave the protocol type as Any and click Next then Finish.
You now have the IP or a range of IPs blocked from accessing any service the local computer provides.
To Block from Command line
netsh ipsec static add filter filterlist="Banned IPS" srcaddr=220.127.116.11 srcmask=255.252.0.0 dstaddr=me description="18.104.22.168/14" protocol=any srcport=0 dstport=0