[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Sanity Check - ACL

Posted on 2004-07-30
5
Medium Priority
?
282 Views
Last Modified: 2010-04-17
I have a Cisco 827-4V ADSL router and I want to add an incoming ACL to the ADSL interface that will block attempts to spoof traffic from my network addresses (i.e. so someone outside my network cannot send a packet to a host on my network if the packet claims to be from another host on my network).

My network numbers look kinda like this (the last octet of the Broadcast and also the Netmask are the real numbers):

Netmask: 255.255.255.192
Broadcast: 10.70.41.127

My router occupies 10.70.41.65

Would the correct ACL be --> access-list 123 deny ip 10.70.41.64 0.0.0.63

I want to make sure before I put it in place.
0
Comment
Question by:PsiCop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
bfarmer earned 500 total points
ID: 11682529
Looks right.  Just add the "any" on the end.  Also you don't mention if there will be any more to the ACL.  Remember there is an implicit deny ip any any in every ACL.

access-list 123 deny ip 10.70.41.64 0.0.0.63 any
access-list 123 permit ip any any
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11682875
You should probably block the other private IP subnets (192, 127, 10, etc.) on the outside interface as well.  
0
 
LVL 34

Author Comment

by:PsiCop
ID: 11684607
I don't disagree, but that wasn't my Question.
0
 
LVL 34

Author Comment

by:PsiCop
ID: 11684615
bfarmer,

Yes, there will be an "any" at the end of the ACL line - I was checking the syntax of the network specification, wanted to make sure I had correctly translated the network information into Cisco's notation.

Yes, there is a lot more to the ACL, and plenty of specific "permits" to allow the things I need before explicit "deny ip any any log" at the end.
0
 
LVL 4

Expert Comment

by:bfarmer
ID: 11684729
PsiCop - Ok, just wanted to make sure.  Your translation is correct.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question