Solved

Sanity Check - ACL

Posted on 2004-07-30
5
269 Views
Last Modified: 2010-04-17
I have a Cisco 827-4V ADSL router and I want to add an incoming ACL to the ADSL interface that will block attempts to spoof traffic from my network addresses (i.e. so someone outside my network cannot send a packet to a host on my network if the packet claims to be from another host on my network).

My network numbers look kinda like this (the last octet of the Broadcast and also the Netmask are the real numbers):

Netmask: 255.255.255.192
Broadcast: 10.70.41.127

My router occupies 10.70.41.65

Would the correct ACL be --> access-list 123 deny ip 10.70.41.64 0.0.0.63

I want to make sure before I put it in place.
0
Comment
Question by:PsiCop
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
bfarmer earned 125 total points
Comment Utility
Looks right.  Just add the "any" on the end.  Also you don't mention if there will be any more to the ACL.  Remember there is an implicit deny ip any any in every ACL.

access-list 123 deny ip 10.70.41.64 0.0.0.63 any
access-list 123 permit ip any any
0
 
LVL 5

Expert Comment

by:dgroscost
Comment Utility
You should probably block the other private IP subnets (192, 127, 10, etc.) on the outside interface as well.  
0
 
LVL 34

Author Comment

by:PsiCop
Comment Utility
I don't disagree, but that wasn't my Question.
0
 
LVL 34

Author Comment

by:PsiCop
Comment Utility
bfarmer,

Yes, there will be an "any" at the end of the ACL line - I was checking the syntax of the network specification, wanted to make sure I had correctly translated the network information into Cisco's notation.

Yes, there is a lot more to the ACL, and plenty of specific "permits" to allow the things I need before explicit "deny ip any any log" at the end.
0
 
LVL 4

Expert Comment

by:bfarmer
Comment Utility
PsiCop - Ok, just wanted to make sure.  Your translation is correct.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now