Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking "BOGON" traffic. AKA Private IP on the outside interface on an ASA

Is it necessary to block “bogon” networks on the outside interface or does the Cisco ASA firewall do it by default.

I noticed this line below on my logs and it kind of scared me for sec..

2013-11-27 T13:27:55.540306-05:00 ga-asa-5505-50 : %ASA-session-6-302016: Teardown UDP connection 6480256 for outside:192.168.1.10/5061 to inside:A-192.168.110.4/5060 duration 17:19:43 bytes 20060171

It looks like the traffic came from outside the network from 192.168.1.10

So if that the case would the access list below block those "private" networks.

What is aim to block

10.0.0.0/8  (A)

172.16.0.0/12 (B)

192.168.0.0/16 (C)

224.0.0.0/4 (MULTICAST D)

240.0.0.0/5 (E)

127.0.0.0/8 (LOOPBACK) 10.0.0.0/8  (A)
172.16.0.0/12 (B)
192.168.0.0/16 (C)
224.0.0.0/4 (MULTICAST D)
240.0.0.0/5 (E)
127.0.0.0/8 (LOOPBACK)

--------------------------------------------------------

object-group network bogons

network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 224.0.0.0 240.0.0.0
network-object 240.0.0.0 248.0.0.0
network-object 127.0.0.0 255.0.0.0


access-list world extended deny ip object-group bogons any

access-group world in interface outside

------------------------------------------------------

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Blocking "BOGON" traffic. AKA Private IP on the outside interfac

Hello Stephen,

If you have configured the outside interface with security level 0, then it will block all traffic unless permitted on an ACL.

So if you don’t have any ACL on the outside, then there is no need to block it, If you have an ACL just confirm the traffic is not permitted, otherwise the ASA will apply the implicit 'deny ip any any'

Regards,

Felipe.

Remember to rate useful posts.

2 REPLIES
Bronze

Blocking "BOGON" traffic. AKA Private IP on the outside interfac

Hello Stephen,

If you have configured the outside interface with security level 0, then it will block all traffic unless permitted on an ACL.

So if you don’t have any ACL on the outside, then there is no need to block it, If you have an ACL just confirm the traffic is not permitted, otherwise the ASA will apply the implicit 'deny ip any any'

Regards,

Felipe.

Remember to rate useful posts.

New Member

Re: Blocking "BOGON" traffic. AKA Private IP on the outside inte

Thank you.....You are correct...i was just freaking out. It turns out to be a host from a "site-to-site" VPN connection that is allowed.

I guess i deal with alot of IPTABLES configurations, so i defaulted to thinking that way.

i.e on the public interface. (linux iptables).

# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

Thanks for the refresher.

Good day.

834
Views
0
Helpful
2
Replies
This widget could not be displayed.