Anti-spoofing ACL

Posted on 2004-11-30
Medium Priority
Last Modified: 2008-01-09
I have an ethernet interface in a Cisco 7206 that I need a simple anti-spoofing ACL for.  There are 2 subnets bound to the interface - as an example
111.222.333.0/24   and   444.555.666.0/25
if I use access-list 10 permit 111.222.333.0
            access-list 10 permit 444.555.666.0
and apply it to the interface out,  I get unexpected results,  Can someone show me what the outbound acl for anti-spoofing should look like?

Question by:jackthetripper
  • 2
  • 2
  • 2
  • +1
LVL 36

Accepted Solution

grblades earned 128 total points
ID: 12706949
Hi jackthetripper,
One of your masks is incorrect. I would also use an extended access-list :-

access-list 100 permit ip 111.222.333.0 any
access-list 100 permit ip 444.555.666.0 any
I would apply this to the inbound direction of the interface.
This will stop machines on this interface from being able to spoof IP addresses.

Assisted Solution

rshooper76 earned 124 total points
ID: 12707015
Here is my anti-spoofing access-list.  This is applied on the inbound direction on my outside interface.  Keep in mind this is only the anti-spoofing portion of my acl.

access-list 120 deny   ip any - specifically deny my local subnet
access-list 120 deny   ip any
access-list 120 deny   ip any
access-list 120 deny   ip any
access-list 120 deny   ip any
access-list 120 deny   ip host any
access-list 120 deny   ip host any
access-list 120 deny   ip any any log-input
LVL 36

Expert Comment

ID: 12707136
rshooper76's answer is taking the anti spoofing from the other perspective of blocking users on the Internet from spoofing your IP range when connecting to you. My example stopped your machines from being able to spoof other machines on the internet.
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

LVL 79

Assisted Solution

lrmoore earned 124 total points
ID: 12707168
Personal opinion only, but I like to keep things simple. It is easier for me to permit only what I want, and let the implied deny all take care of the rest. Example of acl that I use, applied "in" to the external interface:

ip access-list extended outside_in
  permit tcp any any established  <== prevents spoofing
  permit udp any eq domain any  <== need this always
  permit icmp any any echo-reply  <== optional
  permit icmp any any unreachable <== optional, but highly suggested
  permit icmp any any time-exceeded <== optional if you want to use traceroute
  deny ip any any log  <== be sure to get a good syslog server

The "log" keyword allows me to examine my syslog entries for recon attempts and other unwanted traffic. Without specifying the private IP ranges or anything else, they are automatically blocked. Keeping in mind that every line of an acl must be processed until a match is found, and every line of an acl is a potential performance hit, I like to keep it as simple as possible.
LVL 10

Assisted Solution

plemieux72 earned 124 total points
ID: 12711444
I use Unicast Reverse Path Forwarding (uRPF) for anti-spoofing most of the time instead of an access-list.  Although it usually works, I've had problems a few times.  However, it's easy to do... just apply one command to the interface.

interface dialer1
 ip verify unicast source reachable-via rx allow-default

See http://www.cisco.com/univercd/cc/td/doc/product/software/ios111/cc111/uni_rpf.htm

Expert Comment

ID: 12717645
A related question for lrmoore.  I used to do my access-lists liek you described, but I was told, by a Cisco tech, that explicitely blocking the non-routables was better.  I would rather setup what you described to prevent any performance issues.  What about the ip verify unicast reverse-path, is that a good anti-spoofing option.  I guess what I am saying is I would like to get more details on the proper way to do this.  If I need to create a new post for this I will, but I figure jackthetripper can use it as much as I can.
LVL 79

Expert Comment

ID: 12718140
>I was told, by a Cisco tech,
Personal opinion, it's only because that's what the Cisco books teach.
Why would I need to explicitly deny that traffic when it is already implicitly denied?
My router configs always fail miserably using the RAT tool to "audit" the configs, because the RAT tool is built around NSA's Cisco router guidelines that were written years ago and held up as "the bible". Phooey..

Router Audit Tool (RAT):

NSA Guidelines:

I know that my access-list is as good as any. I see in my logs all the time where I've blocked DHCP broadcasts and all types of recon attempts, as well as some internal IP addresses. I do not explicitly deny any of the "recommended" traffic, because I simply don't explicitly PERMIT it.
There is a rule in designing Govt' networks/firewalls that states that all access is "deny by default, permit by exception" in both directions, which is exactly what I do.


Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question