Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
0
Helpful
1
Replies

Anti spoof acl and cisco 7606

svarc1977
Level 1
Level 1

‎03-25-2008 07:52 AM - edited ‎02-20-2020 09:40 PM

Hi all,

I have strange problem with anti spoof access-list which I would like to set up in cisco 7606 with 7600-PFC3CXL. So I made an access-list which is in [1.] and set up on interface Te1/1 like this [2.], but there are no match in output direction? Why? Well I made a test with [3.] but no matchs in access-list and ICMP was working than I made change [4.] and yeap icmp was not working and I have seen match in input direction good. It looks like that output direction in acl not working so I removed line 1 inc acl [4.] and icmp still not working and acl [3.] started matching icmp in line 1? Why? Can anybody help me? Thanks.

Karel

btw.> I tried solve this problem with this links:

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/acl.html

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

[1.]

Extended IP access list anti_spoof_Te1/1_input

10 deny ip 10.0.0.0 0.255.255.255 any

20 deny ip 172.16.0.0 0.15.255.255 any

30 deny ip 192.168.0.0 0.0.255.255 any

40 deny ip 127.0.0.0 0.255.255.255 any

50 deny ip 194.79.52.0 0.0.3.255 any

60 deny ip 0.0.0.0 0.255.255.255 any

70 permit ip any OUR CIDR

80 permit ip any host BGP Neighbor

90 deny ip any any

Extended IP access list anti_spoof_Te1/1_output

10 deny ip any 10.0.0.0 0.255.255.255

20 deny ip any 172.16.0.0 0.15.255.255

30 deny ip any 192.168.0.0 0.0.255.255

40 deny ip any 127.0.0.0 0.255.255.255

50 deny ip any 0.0.0.0 0.255.255.255

60 deny ip any OUR CIDR

70 permit ip host BGP Neighbor any

80 permit ip OUR CIDR any

90 deny ip any any

[2.]

ip access-group anti_spoof_Te1/1_input in

ip access-group anti_spoof_Te1/1_output out

[3.]

Extended IP access list anti_spoof_Te1/1_output

1 deny icmp host from OUR CIDR host in INTERNET log-input

10 deny ip any 10.0.0.0 0.255.255.255

20 deny ip any 172.16.0.0 0.15.255.255

30 deny ip any 192.168.0.0 0.0.255.255

40 deny ip any 127.0.0.0 0.255.255.255

50 deny ip any 0.0.0.0 0.255.255.255

60 deny ip any OUR CIDR

70 permit ip host BGP Neighbor any

80 permit ip OUR CIDR any

90 deny ip any any log-input

[4.]

Extended IP access list anti_spoof_Te1/1_input

1 deny icmp host from INTERNET host from OUR CIDR

10 deny ip 10.0.0.0 0.255.255.255 any

20 deny ip 172.16.0.0 0.15.255.255 any

30 deny ip 192.168.0.0 0.0.255.255 any

40 deny ip 127.0.0.0 0.255.255.255 any

50 deny ip 194.79.52.0 0.0.3.255 any

60 deny ip 0.0.0.0 0.255.255.255 any

70 permit ip any OUR CIDR

80 permit ip any host BGP Neighbor

90 deny ip any any

Labels:
0 Helpful
1 Reply 1
Customers Also Viewed These Support Documents