Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Implementing anti-spoofing with access list

 

Introduction:

This document describes the procedure to implement anti-spoofing using the access list.

Core Issue:

Scenario 1:

There is a need to block network attacks using the IP spoofing method.

Scenario 2:

User have a scenario where he have multiple print servers on his outside interface that need to print/communicate to printers on his inside interface. He has already setup a 1 to 1 nat for the printers but need to figure out the ACl for it. His thought is to group all his outside print servers together in one object-group and group all his inside printer networks in another object-group and then put all the ports in an another object-group then write the acl as follows

Command used

access-list ALLOW-OUTSIDE-to-INSIDE-PRINTING extended permit object-group PRINTER-PORTS object-group OUTSIDE-PRINT-SERVERS object-group INSIDE-PRINTERS

but all he get is a return option <CR> after providing the first object-group parameter . The code running on the ASA is 8.6. Is this possible? Do he need to upgrade to the latest 9.x code?

Resolution:

Scenario 1:

IP spoofing is a method of attack by sending packets to a target network while hiding the attacker's address using a false source address.Thus, to achieve anti-spoofing using the access list, you need to create deny statements for each communication based on whether a valid sender address is specified.

 

Router(config)# ip access-list extended anti-spoof

 

First, drop the communications from private addresses defined in RFC1918.These addresses cannot be routed on the Internet, so it cannot come from outside as valid communications.


Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any
Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any

 

Drop communications from multicast addresses.A multicast address cannot be used as a source address, so such communications are not valid.


Router(config-ext-nacl)# deny ip 224.0.0.0 31.255.255.255 any

 

127.0.0.0/8 is a loopback address defined in RFC3330 and reserved for communications from each terminal to themselves.It cannot be transmitted from outside a terminal.


Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any

 

This is a loopback address reserved by Microsoft Windows.Like 127.0.0.0/8, it is only in communications within the PC.

 

Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any

 

Your company subnet exists within the router, so communication from an outside sender with your company address would be impossible.


Router(config-ext-nacl)# deny ip <your company subnet> <wildcard mask of your company subnet> any

 

So far only deny statements have been defined, which means all communications are dropped by the implicit "deny" of the access list.Therefore, you need to add statements to permit communications that can enter the your company network.If it is clear which Internet communications you want to permit, the following setting is recommended.

 

Router(config-ext-nacl)# permit ip any <your company subnet for which you want to permit access from the Internet> <corresponding wildcard mask>

Router(config-ext-nacl)# deny ip any any<.span>

 

If there is no need for any further restrictions on communications from the Internet, the following setting may be used.

 

Router(config-ext-nacl)# permit ip any any

 

Finally, apply the created access list to the interface for Internet.

 

Router(config)# interface gigabitEthernet0/0

Router(config-if)# ip access-group anti-spoof in

 

Scenario 2:

User need to create the "object-group service" before he try this command. (That is right, even before you press "Enter", when you use "?" to see the command syntax if the name of the service group you used in the line doesn't exist ASA won't show the rest of the command.)

 

 

Related Information

Original Document: Cisco Support Community Japan DOC-12237

Author: Zhao Qin

Posted on July 26, 2010

https://supportforums.cisco.com/docs/DOC-12237

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 02:45 PM
Updated by:
 
Labels (1)
Contributors