Just filter your internal net on the external interface inbound:
! anti-spoofing rules for reserved ranges
access-list 101 deny ip 1.0.0.0 0.255.255.255 any log
access-list 101 deny ip 2.0.0.0 0.255.255.255 any log
access-list 101 deny ip 5.0.0.0 0.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
! Anti spoofing rules for internal IPs
access-list 101 deny ip 203.203.203.0 0.0.0.255 any log
! Deny ICMP redirects
access-list 105 deny icmp any any redirect
<lots more rules>
access-list 101 deny ip any any
ip access-group 101 in
JP
-----Original Message-----
From: Saint James [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 03, 2001 8:25 AM
To: [EMAIL PROTECTED]
Subject: ACL for anti-spoof
Can someone give me the syntax for cisco ACL's to stop
spoofing ? Cisco mentions this:
access-list number deny icmp any any redirect
access-list number deny ip 127.0.0.0 0.255.255.255 any
access-list number deny ip 224.0.0.0 31.255.255.255
any
access-list number deny ip host 0.0.0.0 any
But what I am seeking to do is not allow someone
on the outside to spoof one of my inside IP's from
the internet. I have a number of class C's on "my
side" of the router. I assume the above ACL just
denies
icmp redirects and private address spaces; would I
also use that list.
James
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
