This document describes the procedure to implement anti-spoofing using the access list.
There is a need to block network attacks using the IP spoofing method.
User have a scenario where he have multiple print servers on his outside interface that need to print/communicate to printers on his inside interface. He has already setup a 1 to 1 nat for the printers but need to figure out the ACl for it. His thought is to group all his outside print servers together in one object-group and group all his inside printer networks in another object-group and then put all the ports in an another object-group then write the acl as follows
but all he get is a return option <CR> after providing the first object-group parameter . The code running on the ASA is 8.6. Is this possible? Do he need to upgrade to the latest 9.x code?
IP spoofing is a method of attack by sending packets to a target network while hiding the attacker's address using a false source address.Thus, to achieve anti-spoofing using the access list, you need to create deny statements for each communication based on whether a valid sender address is specified.
Router(config)# ip access-list extended anti-spoof
First, drop the communications from private addresses defined in RFC1918.These addresses cannot be routed on the Internet, so it cannot come from outside as valid communications.
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Drop communications from multicast addresses.A multicast address cannot be used as a source address, so such communications are not valid.
Router(config-ext-nacl)# deny ip 126.96.36.199 188.8.131.52 any
127.0.0.0/8 is a loopback address defined in RFC3330 and reserved for communications from each terminal to themselves.It cannot be transmitted from outside a terminal.
Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
This is a loopback address reserved by Microsoft Windows.Like 127.0.0.0/8, it is only in communications within the PC.
Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
Your company subnet exists within the router, so communication from an outside sender with your company address would be impossible.
Router(config-ext-nacl)# deny ip <your company subnet> <wildcard mask of your company subnet> any
So far only deny statements have been defined, which means all communications are dropped by the implicit "deny" of the access list.Therefore, you need to add statements to permit communications that can enter the your company network.If it is clear which Internet communications you want to permit, the following setting is recommended.
Router(config-ext-nacl)# permit ip any <your company subnet for which you want to permit access from the Internet> <corresponding wildcard mask>
Router(config-ext-nacl)# deny ip any any<.span>
If there is no need for any further restrictions on communications from the Internet, the following setting may be used.
Router(config-ext-nacl)# permit ip any any
Finally, apply the created access list to the interface for Internet.
Router(config)# interface gigabitEthernet0/0
Router(config-if)# ip access-group anti-spoof in
User need to create the "object-group service" before he try this command. (That is right, even before you press "Enter", when you use "?" to see the command syntax if the name of the service group you used in the line doesn't exist ASA won't show the rest of the command.)
Original Document: Cisco Support Community Japan DOC-12237