Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

Sanity Check - ACL

I have a Cisco 827-4V ADSL router and I want to add an incoming ACL to the ADSL interface that will block attempts to spoof traffic from my network addresses (i.e. so someone outside my network cannot send a packet to a host on my network if the packet claims to be from another host on my network).

My network numbers look kinda like this (the last octet of the Broadcast and also the Netmask are the real numbers):

Netmask: 255.255.255.192
Broadcast: 10.70.41.127

My router occupies 10.70.41.65

Would the correct ACL be --> access-list 123 deny ip 10.70.41.64 0.0.0.63

I want to make sure before I put it in place.
0
PsiCop
Asked:
PsiCop
  • 2
  • 2
1 Solution
 
bfarmerCommented:
Looks right.  Just add the "any" on the end.  Also you don't mention if there will be any more to the ACL.  Remember there is an implicit deny ip any any in every ACL.

access-list 123 deny ip 10.70.41.64 0.0.0.63 any
access-list 123 permit ip any any
0
 
dgroscostCommented:
You should probably block the other private IP subnets (192, 127, 10, etc.) on the outside interface as well.  
0
 
PsiCopAuthor Commented:
I don't disagree, but that wasn't my Question.
0
 
PsiCopAuthor Commented:
bfarmer,

Yes, there will be an "any" at the end of the ACL line - I was checking the syntax of the network specification, wanted to make sure I had correctly translated the network information into Cisco's notation.

Yes, there is a lot more to the ACL, and plenty of specific "permits" to allow the things I need before explicit "deny ip any any log" at the end.
0
 
bfarmerCommented:
PsiCop - Ok, just wanted to make sure.  Your translation is correct.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now