chris

thanks for ur reply

buddy, its a normal acl on the outside interface facing the isp, applied inbound direction , some thing realy strange

thanks

Jamil,

Chris has a point. Without seeing the acl, it's going to be extremely difficult to tell you why traffic stopped. 1918 sets aside private addressing for internal hosts. Private addresses shouldn't be seen on the internet, so adding an ACL to your inbound traffic that denies traffic to these subnets won't do anything. The reason that I say this is because I'm assuming (and a heavy assumption) that you're natting on this interface. If that's the case, you're going to hit your ACL before natting happens, so in order for traffic to stop for those subnets you'd have to block the traffic on your natted address (public non-RFC 1918). You can safely deny traffic from your internal hosts on the outside interface so spoof attacks can't happen.

For example, if your subnet was 172.16.0.0/16, you could safely create:

ip access-list ext NoRFC1918

deny ip 172.16.0.0 0.0.255.255 any

permit ip any any

You could apply the above inbound on your public interface and you should not lose any traffic coming from the DMZ.

In the end, it's going to be very, very difficult to tell you why you lost traffic without seeing some of the config.

HTH,

John

Hi John

thanks john

as always , good answer

look to my topology

CORE-1 ----------------(inside)ASA(public outside)-------------(public inside)R1(private--g0/0 facing ISP router----------ISP-ROUTER

i have applied the below acl

ip access-list extended DDOS

10 deny ip 10.0.0.0 0.255.255.255 any

20 deny ip 172.16.0.0 0.15.255.255 any

30 deny ip 192.168.0.0 0.0.255.255 any

40 deny ip

50 permit ip any any

R1

int g0/0 (interface facing isp router)

ip access-group DDOS in

asa perform nat for inside

thanks

Jamil,

Your line 40 in your ACL should be removed, since you're nullifying your line 50.  ACL's are executed top-down.

Everything else looks ok.

-Chris

Hi Chris

line 40 to deny any packets has a source address belong to my public ip address

thanks

jamil

Jamil,

I'm a little confused, so I'm going to ask a couple of questions. Are the devices that you want to protect in the CORE-1 or are they off of the ASA in a DMZ? The ASA has a public address and the "inside" interface on your router is also publically addressed? Is the ISP router in your building or is this a circuit that goes to them? I'm confused as to how you have a privately addressed, ISP-facing interface. I'm assuming that you're natting on your ASA to a public address, but is the ISP router privately addressed on their inside interface and then it nats again to their public address?

HTH,

John

Hi John

actualy i m tring to protect my network against DDOS and DOS and spoofing attack

these servers connected to dmzX (192.x.x.x) and dmzY(172.y.y.y) of the asa

1)The ASA has a public address and the "inside" interface on your router is also publically addressed......YES    

2)Is the ISP router in your building or is this a circuit that goes to them, R1 has circuit to ISP at the far end

3) i m natting on asa

4)i have private address with ISP-1  , since we have have PI address with Public AS and we advertise to two isp  .but here for simplicity i have mentioned 1 isp

thanks

jamil

Your graph indicates you have a private address between you and the ISP? Is your acl locking traffic between you and the ISP?

Sent from Cisco Technical Support iPad App