This document describes the procedure to implement anti-spoofing using the access list.
There is a need to block network attacks using the IP spoofing method.
User have a scenario where he have multiple print servers on his outside interface that need to print/communicate to printers on his inside interface. He has already setup a 1 to 1 nat for the printers but need to figure out the ACl for it. His thought is to group all his outside print servers together in one object-group and group all his inside printer networks in another object-group and then put all the ports in an another object-group then write the acl as follows
but all he get is a return option <CR> after providing the first object-group parameter . The code running on the ASA is 8.6. Is this possible? Do he need to upgrade to the latest 9.x code?
IP spoofing is a method of attack by sending packets to a target network while hiding the attacker's address using a false source address.Thus, to achieve anti-spoofing using the access list, you need to create deny statements for each communication based on whether a valid sender address is specified.
Router(config)# ip access-list extended anti-spoof
First, drop the communications from private addresses defined in RFC1918.These addresses cannot be routed on the Internet, so it cannot come from outside as valid communications.
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any
Drop communications from multicast addresses.A multicast address cannot be used as a source address, so such communications are not valid.
Router(config-ext-nacl)# deny ip 184.108.40.206 220.127.116.11 any
127.0.0.0/8 is a loopback address defined in RFC3330 and reserved for communications from each terminal to themselves.It cannot be transmitted from outside a terminal.
Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any
This is a loopback address reserved by Microsoft Windows.Like 127.0.0.0/8, it is only in communications within the PC.
Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any
Your company subnet exists within the router, so communication from an outside sender with your company address would be impossible.
Router(config-ext-nacl)# deny ip <your company subnet> <wildcard mask of your company subnet> any
So far only deny statements have been defined, which means all communications are dropped by the implicit "deny" of the access list.Therefore, you need to add statements to permit communications that can enter the your company network.If it is clear which Internet communications you want to permit, the following setting is recommended.
Router(config-ext-nacl)# permit ip any <your company subnet for which you want to permit access from the Internet> <corresponding wildcard mask>
Router(config-ext-nacl)# deny ip any any<.span>
If there is no need for any further restrictions on communications from the Internet, the following setting may be used.
Router(config-ext-nacl)# permit ip any any
Finally, apply the created access list to the interface for Internet.
Router(config)# interface gigabitEthernet0/0
Router(config-if)# ip access-group anti-spoof in
User need to create the "object-group service" before he try this command. (That is right, even before you press "Enter", when you use "?" to see the command syntax if the name of the service group you used in the line doesn't exist ASA won't show the rest of the command.)
Original Document: Cisco Support Community Japan DOC-12237
Hi Experts, Please check and suggest, if the attached design is a workable solution.Currently, working on migrating existing Apps to public cloud, since the customer dont want to change the public IP for the apps,resources, looking to forward the customer...
Trying to configure the FW to allow ssh from a remote vpn user to an inside private host over Mgt interface and allow traffic out Outside interfaceVPN is working correctly, ssh is not working to internal host in private subnet(traffic from the VPN subnet ...
I am having some issue attempting to get the Cisco AnyConnect app for iOS 13 to see certificates that are being installed via our MDM solution. If the certificate is installed via a VPN connection it shows in the AnyConnect app's certificates, but i...
I do some light sysadmin stuff for my wife's school and they had a BE4000 installed last year. The people who configured it didn't talk to the network people and configured it with static IP information. Well, our firewall changed and now it can't reach t...
Hi guys,We are running FMC/FTD (Cisco ASA 5516-X) with the version 18.104.22.168.We have created successfully a flex-config PBR: it worked correctly.The next day, it stopped working and we have checked the configuration from the FTD in cli mode, and one part of...