Solved

Sanity Check - ACL

Posted on 2004-07-30
5
272 Views
Last Modified: 2010-04-17
I have a Cisco 827-4V ADSL router and I want to add an incoming ACL to the ADSL interface that will block attempts to spoof traffic from my network addresses (i.e. so someone outside my network cannot send a packet to a host on my network if the packet claims to be from another host on my network).

My network numbers look kinda like this (the last octet of the Broadcast and also the Netmask are the real numbers):

Netmask: 255.255.255.192
Broadcast: 10.70.41.127

My router occupies 10.70.41.65

Would the correct ACL be --> access-list 123 deny ip 10.70.41.64 0.0.0.63

I want to make sure before I put it in place.
0
Comment
Question by:PsiCop
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
bfarmer earned 125 total points
ID: 11682529
Looks right.  Just add the "any" on the end.  Also you don't mention if there will be any more to the ACL.  Remember there is an implicit deny ip any any in every ACL.

access-list 123 deny ip 10.70.41.64 0.0.0.63 any
access-list 123 permit ip any any
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11682875
You should probably block the other private IP subnets (192, 127, 10, etc.) on the outside interface as well.  
0
 
LVL 34

Author Comment

by:PsiCop
ID: 11684607
I don't disagree, but that wasn't my Question.
0
 
LVL 34

Author Comment

by:PsiCop
ID: 11684615
bfarmer,

Yes, there will be an "any" at the end of the ACL line - I was checking the syntax of the network specification, wanted to make sure I had correctly translated the network information into Cisco's notation.

Yes, there is a lot more to the ACL, and plenty of specific "permits" to allow the things I need before explicit "deny ip any any log" at the end.
0
 
LVL 4

Expert Comment

by:bfarmer
ID: 11684729
PsiCop - Ok, just wanted to make sure.  Your translation is correct.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS on-premise and on-cloud 15 124
VOIP: SIP vs. proprietary Broadview Networks Silnet ?? 12 122
VirtualBOX on GNS3 11 118
BGP Code 12 47
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question