Solved

Sanity Check - ACL

Posted on 2004-07-30
5
275 Views
Last Modified: 2010-04-17
I have a Cisco 827-4V ADSL router and I want to add an incoming ACL to the ADSL interface that will block attempts to spoof traffic from my network addresses (i.e. so someone outside my network cannot send a packet to a host on my network if the packet claims to be from another host on my network).

My network numbers look kinda like this (the last octet of the Broadcast and also the Netmask are the real numbers):

Netmask: 255.255.255.192
Broadcast: 10.70.41.127

My router occupies 10.70.41.65

Would the correct ACL be --> access-list 123 deny ip 10.70.41.64 0.0.0.63

I want to make sure before I put it in place.
0
Comment
Question by:PsiCop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
bfarmer earned 125 total points
ID: 11682529
Looks right.  Just add the "any" on the end.  Also you don't mention if there will be any more to the ACL.  Remember there is an implicit deny ip any any in every ACL.

access-list 123 deny ip 10.70.41.64 0.0.0.63 any
access-list 123 permit ip any any
0
 
LVL 5

Expert Comment

by:dgroscost
ID: 11682875
You should probably block the other private IP subnets (192, 127, 10, etc.) on the outside interface as well.  
0
 
LVL 34

Author Comment

by:PsiCop
ID: 11684607
I don't disagree, but that wasn't my Question.
0
 
LVL 34

Author Comment

by:PsiCop
ID: 11684615
bfarmer,

Yes, there will be an "any" at the end of the ACL line - I was checking the syntax of the network specification, wanted to make sure I had correctly translated the network information into Cisco's notation.

Yes, there is a lot more to the ACL, and plenty of specific "permits" to allow the things I need before explicit "deny ip any any log" at the end.
0
 
LVL 4

Expert Comment

by:bfarmer
ID: 11684729
PsiCop - Ok, just wanted to make sure.  Your translation is correct.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

742 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question