06-07-2012 10:52 PM - edited 03-04-2019 04:36 PM
hi experts
i have servers in dmz starts with 172.x.x.x and servers in inside starts with 192.168.x.x , i have tried to implement RFC1918 to on my border router connected to isp , i have applied the acl (IN Direction) on inside interface then all the above subnet's stops working,
thanks
jamil
06-07-2012 11:02 PM
Jamil,
Do you have a configuration snippet? Perhaps it's the ACL, perhaps it's something to do with the address/mask you're using.
I can't really help without more info.
-Chris
06-08-2012 08:48 AM
chris
thanks for ur reply
buddy, its a normal acl on the outside interface facing the isp, applied inbound direction , some thing realy strange
thanks
06-08-2012 09:07 AM
Jamil,
Chris has a point. Without seeing the acl, it's going to be extremely difficult to tell you why traffic stopped. 1918 sets aside private addressing for internal hosts. Private addresses shouldn't be seen on the internet, so adding an ACL to your inbound traffic that denies traffic to these subnets won't do anything. The reason that I say this is because I'm assuming (and a heavy assumption) that you're natting on this interface. If that's the case, you're going to hit your ACL before natting happens, so in order for traffic to stop for those subnets you'd have to block the traffic on your natted address (public non-RFC 1918). You can safely deny traffic from your internal hosts on the outside interface so spoof attacks can't happen.
For example, if your subnet was 172.16.0.0/16, you could safely create:
ip access-list ext NoRFC1918
deny ip 172.16.0.0 0.0.255.255 any
permit ip any any
You could apply the above inbound on your public interface and you should not lose any traffic coming from the DMZ.
In the end, it's going to be very, very difficult to tell you why you lost traffic without seeing some of the config.
HTH,
John
06-08-2012 10:33 AM
Hi John
thanks john
as always , good answer
look to my topology
CORE-1 ----------------(inside)ASA(public outside)-------------(public inside)R1(private--g0/0 facing ISP router----------ISP-ROUTER
i have applied the below acl
ip access-list extended DDOS
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip
50 permit ip any any
R1
int g0/0 (interface facing isp router)
ip access-group DDOS in
asa perform nat for inside
thanks
06-08-2012 10:38 AM
Jamil,
Your line 40 in your ACL should be removed, since you're nullifying your line 50. ACL's are executed top-down.
Everything else looks ok.
-Chris
06-08-2012 12:41 PM
Hi Chris
line 40 to deny any packets has a source address belong to my public ip address
thanks
jamil
06-08-2012 10:44 AM
Jamil,
I'm a little confused, so I'm going to ask a couple of questions. Are the devices that you want to protect in the CORE-1 or are they off of the ASA in a DMZ? The ASA has a public address and the "inside" interface on your router is also publically addressed? Is the ISP router in your building or is this a circuit that goes to them? I'm confused as to how you have a privately addressed, ISP-facing interface. I'm assuming that you're natting on your ASA to a public address, but is the ISP router privately addressed on their inside interface and then it nats again to their public address?
HTH,
John
06-08-2012 12:48 PM
Hi John
actualy i m tring to protect my network against DDOS and DOS and spoofing attack
these servers connected to dmzX (192.x.x.x) and dmzY(172.y.y.y) of the asa
1)The ASA has a public address and the "inside" interface on your router is also publically addressed......YES
2)Is the ISP router in your building or is this a circuit that goes to them, R1 has circuit to ISP at the far end
3) i m natting on asa
4)i have private address with ISP-1 , since we have have PI address with Public AS and we advertise to two isp .but here for simplicity i have mentioned 1 isp
thanks
jamil
06-09-2012 07:53 AM
Your graph indicates you have a private address between you and the ISP? Is your acl locking traffic between you and the ISP?
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide