Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

rfc1918-?

hi experts

i have servers in dmz starts with 172.x.x.x and servers in inside starts with 192.168.x.x , i have tried to implement RFC1918 to on my border router connected to isp , i have applied the acl (IN Direction) on inside interface  then all the above subnet's stops working,

thanks

jamil

9 REPLIES
Bronze

rfc1918-?

Jamil,

Do you have a configuration snippet?  Perhaps it's the ACL, perhaps it's something to do with the address/mask you're using.

I can't really help without more info.

-Chris

New Member

rfc1918-?

chris

thanks for ur reply

buddy, its a normal acl on the outside interface facing the isp, applied inbound direction , some thing realy strange

thanks

rfc1918-?

Jamil,

Chris has a point. Without seeing the acl, it's going to be extremely difficult to tell you why traffic stopped. 1918 sets aside private addressing for internal hosts. Private addresses shouldn't be seen on the internet, so adding an ACL to your inbound traffic that denies traffic to these subnets won't do anything. The reason that I say this is because I'm assuming (and a heavy assumption) that you're natting on this interface. If that's the case, you're going to hit your ACL before natting happens, so in order for traffic to stop for those subnets you'd have to block the traffic on your natted address (public non-RFC 1918). You can safely deny traffic from your internal hosts on the outside interface so spoof attacks can't happen.

For example, if your subnet was 172.16.0.0/16, you could safely create:

ip access-list ext NoRFC1918

deny ip 172.16.0.0 0.0.255.255 any

permit ip any any

You could apply the above inbound on your public interface and you should not lose any traffic coming from the DMZ.

In the end, it's going to be very, very difficult to tell you why you lost traffic without seeing some of the config.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

rfc1918-?

Hi John

thanks john

as always , good answer

look to my topology

CORE-1 ----------------(inside)ASA(public outside)-------------(public inside)R1(private--g0/0 facing ISP router----------ISP-ROUTER

i have applied the below acl

ip access-list extended DDOS

10 deny ip 10.0.0.0 0.255.255.255 any

20 deny ip 172.16.0.0 0.15.255.255 any

30 deny ip 192.168.0.0 0.0.255.255 any

40 deny ip

50 permit ip any any

R1

int g0/0 (interface facing isp router)

ip access-group DDOS in

asa perform nat for inside

thanks

Bronze

rfc1918-?

Jamil,

Your line 40 in your ACL should be removed, since you're nullifying your line 50.  ACL's are executed top-down.

Everything else looks ok.

-Chris

New Member

rfc1918-?

Hi Chris

line 40 to deny any packets has a source address belong to my public ip address

thanks

jamil

rfc1918-?

Jamil,

I'm a little confused, so I'm going to ask a couple of questions. Are the devices that you want to protect in the CORE-1 or are they off of the ASA in a DMZ? The ASA has a public address and the "inside" interface on your router is also publically addressed? Is the ISP router in your building or is this a circuit that goes to them? I'm confused as to how you have a privately addressed, ISP-facing interface. I'm assuming that you're natting on your ASA to a public address, but is the ISP router privately addressed on their inside interface and then it nats again to their public address?

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

rfc1918-?

Hi John

actualy i m tring to protect my network against DDOS and DOS and spoofing attack

these servers connected to dmzX (192.x.x.x) and dmzY(172.y.y.y) of the asa

1)The ASA has a public address and the "inside" interface on your router is also publically addressed......YES    

2)Is the ISP router in your building or is this a circuit that goes to them, R1 has circuit to ISP at the far end

3) i m natting on asa

4)i have private address with ISP-1  , since we have have PI address with Public AS and we advertise to two isp  .but here for simplicity i have mentioned 1 isp

thanks

jamil

Re: rfc1918-?

Your graph indicates you have a private address between you and the ISP? Is your acl locking traffic between you and the ISP?

Sent from Cisco Technical Support iPad App

428
Views
16
Helpful
9
Replies