Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3543
Views
0
Helpful
2
Replies

Blocking "BOGON" traffic. AKA Private IP on the outside interface on an ASA

Go to solution
stevechege
Level 1
Level 1

‎12-02-2013 03:51 PM - edited ‎03-11-2019 08:11 PM

Is it necessary to block “bogon” networks on the outside interface or does the Cisco ASA firewall do it by default.

I noticed this line below on my logs and it kind of scared me for sec..

2013-11-27 T13:27:55.540306-05:00 ga-asa-5505-50 : %ASA-session-6-302016: Teardown UDP connection 6480256 for outside:192.168.1.10/5061 to inside:A-192.168.110.4/5060 duration 17:19:43 bytes 20060171

It looks like the traffic came from outside the network from 192.168.1.10

So if that the case would the access list below block those "private" networks.

What is aim to block

10.0.0.0/8  (A)

172.16.0.0/12 (B)

192.168.0.0/16 (C)

224.0.0.0/4 (MULTICAST D)

240.0.0.0/5 (E)

127.0.0.0/8 (LOOPBACK) 10.0.0.0/8  (A)
172.16.0.0/12 (B)
192.168.0.0/16 (C)
224.0.0.0/4 (MULTICAST D)
240.0.0.0/5 (E)
127.0.0.0/8 (LOOPBACK)

--------------------------------------------------------

object-group network bogons

network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 224.0.0.0 240.0.0.0
network-object 240.0.0.0 248.0.0.0
network-object 127.0.0.0 255.0.0.0


access-list world extended deny ip object-group bogons any

access-group world in interface outside

------------------------------------------------------

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lcambron
Level 3
Level 3

‎12-02-2013 04:46 PM

Hello Stephen,

If you have configured the outside interface with security level 0, then it will block all traffic unless permitted on an ACL.

So if you don’t have any ACL on the outside, then there is no need to block it, If you have an ACL just confirm the traffic is not permitted, otherwise the ASA will apply the implicit 'deny ip any any'

Regards,

Felipe.

Remember to rate useful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
lcambron
Level 3
Level 3

‎12-02-2013 04:46 PM

Hello Stephen,

If you have configured the outside interface with security level 0, then it will block all traffic unless permitted on an ACL.

So if you don’t have any ACL on the outside, then there is no need to block it, If you have an ACL just confirm the traffic is not permitted, otherwise the ASA will apply the implicit 'deny ip any any'

Regards,

Felipe.

Remember to rate useful posts.

0 Helpful

Go to solution
stevechege
Level 1
Level 1
In response to lcambron

‎12-02-2013 05:35 PM

Thank you.....You are correct...i was just freaking out. It turns out to be a host from a "site-to-site" VPN connection that is allowed.

I guess i deal with alot of IPTABLES configurations, so i defaulted to thinking that way.

i.e on the public interface. (linux iptables).

# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

Thanks for the refresher.

Good day.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card