i have servers in dmz starts with 172.x.x.x and servers in inside starts with 192.168.x.x , i have tried to implement RFC1918 to on my border router connected to isp , i have applied the acl (IN Direction) on inside interface then all the above subnet's stops working,
Do you have a configuration snippet? Perhaps it's the ACL, perhaps it's something to do with the address/mask you're using.
I can't really help without more info.
Chris has a point. Without seeing the acl, it's going to be extremely difficult to tell you why traffic stopped. 1918 sets aside private addressing for internal hosts. Private addresses shouldn't be seen on the internet, so adding an ACL to your inbound traffic that denies traffic to these subnets won't do anything. The reason that I say this is because I'm assuming (and a heavy assumption) that you're natting on this interface. If that's the case, you're going to hit your ACL before natting happens, so in order for traffic to stop for those subnets you'd have to block the traffic on your natted address (public non-RFC 1918). You can safely deny traffic from your internal hosts on the outside interface so spoof attacks can't happen.
For example, if your subnet was 172.16.0.0/16, you could safely create:
ip access-list ext NoRFC1918
deny ip 172.16.0.0 0.0.255.255 any
permit ip any any
You could apply the above inbound on your public interface and you should not lose any traffic coming from the DMZ.
In the end, it's going to be very, very difficult to tell you why you lost traffic without seeing some of the config.
as always , good answer
look to my topology
CORE-1 ----------------(inside)ASA(public outside)-------------(public inside)R1(private--g0/0 facing ISP router----------ISP-ROUTER
i have applied the below acl
ip access-list extended DDOS
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip
50 permit ip any any
int g0/0 (interface facing isp router)
ip access-group DDOS in
asa perform nat for inside
I'm a little confused, so I'm going to ask a couple of questions. Are the devices that you want to protect in the CORE-1 or are they off of the ASA in a DMZ? The ASA has a public address and the "inside" interface on your router is also publically addressed? Is the ISP router in your building or is this a circuit that goes to them? I'm confused as to how you have a privately addressed, ISP-facing interface. I'm assuming that you're natting on your ASA to a public address, but is the ISP router privately addressed on their inside interface and then it nats again to their public address?
actualy i m tring to protect my network against DDOS and DOS and spoofing attack
these servers connected to dmzX (192.x.x.x) and dmzY(172.y.y.y) of the asa
1)The ASA has a public address and the "inside" interface on your router is also publically addressed......YES
2)Is the ISP router in your building or is this a circuit that goes to them, R1 has circuit to ISP at the far end
3) i m natting on asa
4)i have private address with ISP-1 , since we have have PI address with Public AS and we advertise to two isp .but here for simplicity i have mentioned 1 isp
Your graph indicates you have a private address between you and the ISP? Is your acl locking traffic between you and the ISP?
Sent from Cisco Technical Support iPad App