Showing results for 
Search instead for 
Did you mean: 
Community Member



This document describes the procedure to implement anti-spoofing using the access list.

Core Issue:

Scenario 1:

There is a need to block network attacks using the IP spoofing method.

Scenario 2:

User have a scenario where he have multiple print servers on his outside interface that need to print/communicate to printers on his inside interface. He has already setup a 1 to 1 nat for the printers but need to figure out the ACl for it. His thought is to group all his outside print servers together in one object-group and group all his inside printer networks in another object-group and then put all the ports in an another object-group then write the acl as follows

Command used

access-list ALLOW-OUTSIDE-to-INSIDE-PRINTING extended permit object-group PRINTER-PORTS object-group OUTSIDE-PRINT-SERVERS object-group INSIDE-PRINTERS

but all he get is a return option <CR> after providing the first object-group parameter . The code running on the ASA is 8.6. Is this possible? Do he need to upgrade to the latest 9.x code?


Scenario 1:

IP spoofing is a method of attack by sending packets to a target network while hiding the attacker's address using a false source address.Thus, to achieve anti-spoofing using the access list, you need to create deny statements for each communication based on whether a valid sender address is specified.


Router(config)# ip access-list extended anti-spoof


First, drop the communications from private addresses defined in RFC1918.These addresses cannot be routed on the Internet, so it cannot come from outside as valid communications.

Router(config-ext-nacl)# deny ip any
Router(config-ext-nacl)# deny ip any
Router(config-ext-nacl)# deny ip any


Drop communications from multicast addresses.A multicast address cannot be used as a source address, so such communications are not valid.

Router(config-ext-nacl)# deny ip any is a loopback address defined in RFC3330 and reserved for communications from each terminal to themselves.It cannot be transmitted from outside a terminal.

Router(config-ext-nacl)# deny ip any


This is a loopback address reserved by Microsoft Windows.Like, it is only in communications within the PC.


Router(config-ext-nacl)# deny ip any


Your company subnet exists within the router, so communication from an outside sender with your company address would be impossible.

Router(config-ext-nacl)# deny ip <your company subnet> <wildcard mask of your company subnet> any


So far only deny statements have been defined, which means all communications are dropped by the implicit "deny" of the access list.Therefore, you need to add statements to permit communications that can enter the your company network.If it is clear which Internet communications you want to permit, the following setting is recommended.


Router(config-ext-nacl)# permit ip any <your company subnet for which you want to permit access from the Internet> <corresponding wildcard mask>

Router(config-ext-nacl)# deny ip any any<.span>


If there is no need for any further restrictions on communications from the Internet, the following setting may be used.


Router(config-ext-nacl)# permit ip any any


Finally, apply the created access list to the interface for Internet.


Router(config)# interface gigabitEthernet0/0

Router(config-if)# ip access-group anti-spoof in


Scenario 2:

User need to create the "object-group service" before he try this command. (That is right, even before you press "Enter", when you use "?" to see the command syntax if the name of the service group you used in the line doesn't exist ASA won't show the rest of the command.)



Related Information

Original Document: Cisco Support Community Japan DOC-12237

Author: Zhao Qin

Posted on July 26, 2010

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: