Ethernet Spoofing

From: Hunt Lee (huntl@webcentral.com.au)
Date: Wed Apr 09 2003 - 20:15:20 GMT-3

• Next message: Todd.Reagan@nokia.com: "RE: Ethernet Spoofing"
• Previous message: david: "RE: Please confirm (conf#0223629abf43bef0a8aad44de6c5e329)"
• Next in thread: Todd.Reagan@nokia.com: "RE: Ethernet Spoofing"
• Maybe reply: Todd.Reagan@nokia.com: "RE: Ethernet Spoofing"
• Maybe reply: Donny MATEO: "Re: Ethernet Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Group,

                         |
(s1/0.1)--- R14 ---| (fa0/0)
                         |

R14 is using CBAC. S0/0 is the outside interface for CBAC, while fa0/0 is
theinside interface.

Now, if a question says "block spoofing for the FastEthernet interface"...

interface FastEthernet0/0
 ip address 172.26.1.14 255.255.255.0
 ip access-group 103 out
 ip nat inside
 ip inspect FW in
 duplex auto
 speed auto

For the ACL 103, would I need:-

access-list 103 deny ip any 172.26.1.0 0.0.0.255
access-list 103 permit ip any any

OR this?

access-list 103 deny ip 172.26.1.0 0.0.0.255 any
access-list 103 permit ip any any

I would think the 1st one is the correct one, however, the answer claims
that the
latter one is correct... can anyone see any logic in this?

And for completeness, here is the answer config for the entire router ;)

r14#sh run
Building configuration...
!
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW cuseeme
ip inspect name FW ftp
ip inspect name FW h323
ip inspect name FW rcmd
ip inspect name FW realaudio
ip inspect name FW smtp
ip inspect name FW streamworks
ip inspect name FW vdolive
ip inspect name FW sqlnet
ip inspect name FW tftp
ip audit notify log
ip audit po max-events 100
!
class-map match-all classvoip
  match access-group 199
!
!
policy-map policyvoip
  class classvoip
    priority 26
  class class-default
   fair-queue
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key thor address 172.27.2.13
!
!
crypto ipsec transform-set rt10 esp-des esp-sha-hmac
!
crypto map securevpn 10 ipsec-isakmp
 set peer 172.27.2.13
 set transform-set rt10
 match address 123
!
!
interface Tunnel0
 ip address 23.1.1.14 255.255.255.0
 tunnel source 172.28.1.14
 tunnel destination 172.27.2.13
 crypto map securevpn
!
interface Tunnel2
 ip address 100.1.2.14 255.255.255.0
 tunnel source 172.28.1.14
 tunnel destination 62.5.1.3
!
interface Tunnel3
 ip address 99.1.1.14 255.255.255.0
 tunnel source 100.1.2.14
 tunnel destination 100.1.1.8
!
interface FastEthernet0/0
 ip address 172.26.1.14 255.255.255.0
 ip access-group 103 out
 ip nat inside
 ip inspect FW in
 duplex auto
 speed auto
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
 no fair-queue
 frame-relay traffic-shaping
!
interface Serial1/0.1 point-to-point
 ip address 172.28.1.14 255.255.255.240
 ip access-group 104 in
 ip nat outside
 ip ospf network broadcast
 frame-relay class frvoip
 frame-relay interface-dlci 146
 crypto map securevpn
!
router ospf 10
 log-adjacency-changes
 network 172.28.1.0 0.0.0.15 area 0
!
router rip
 version 2
 network 100.0.0.0
!
ip local policy route-map frvoipsetup
ip kerberos source-interface any
ip nat inside source list 1 interface Serial1/0.1 overload
ip nat inside source static 172.26.1.10 172.28.1.10
ip classless
no ip http server
!
!
map-class frame-relay frvoip
 frame-relay cir 64000
 frame-relay bc 640
 frame-relay be 0
 no frame-relay adaptive-shaping
 service-policy output policyvoip
access-list 1 permit 172.26.1.0 0.0.0.255
access-list 103 deny ip 172.26.1.0 0.0.0.255 any
access-list 103 permit ip any any
access-list 104 permit ospf host 172.28.1.6 any
access-list 104 permit udp host 172.27.2.13 host 172.28.1.14 range 16383
20000
access-list 104 permit tcp host 172.27.2.13 eq 1720 host 172.28.1.14
access-list 104 permit tcp host 172.27.2.13 host 172.28.1.14 range 11000
11999
access-list 104 permit esp host 172.27.2.13 host 172.28.1.14
access-list 104 permit udp host 172.27.2.13 eq isakmp host 172.28.1.14
access-list 104 permit tcp any host 172.28.1.10 eq smtp
access-list 104 permit tcp any host 172.28.1.10 eq www
access-list 104 permit tcp any host 172.28.1.10 eq pop3
access-list 104 permit tcp any host 172.28.1.10 eq ftp
access-list 104 permit gre host 62.5.1.3 host 172.28.1.14
access-list 104 permit gre host 172.28.1.14 host 62.5.1.3
access-list 104 permit icmp any any
access-list 123 permit ip 172.26.1.0 0.0.0.255 172.27.3.0 0.0.0.15
access-list 123 permit ip host 172.28.1.14 host 172.27.2.13
access-list 199 permit udp any any range 16383 20000
access-list 199 permit tcp any eq 1720 any
access-list 199 permit tcp any any eq 1720
access-list 199 permit tcp any any range 11000 11999
route-map frvoipsetup permit 10
 match ip address 199
 set ip precedence critical
!
!
!
voice-port 3/0/0
!
voice-port 3/0/1
 connection plar 411
!
dial-peer cor custom
!
!
!
dial-peer voice 10 voip
 destination-pattern 411
 session target ipv4:172.27.2.13
 ip precedence 5
 no vad
!
dial-peer voice 20 voip
 destination-pattern 8675309
 session target ipv4:172.27.2.13
 ip precedence 5
 no vad
!
dial-peer voice 30 voip
 destination-pattern 3001
 session target ipv4:172.27.2.13
 ip precedence 5
 no vad
!
num-exp 867 8675309
num-exp 1900....... 3001
!
end

Any help will be greatly appreciated.

Regards,
Hunt

• Next message: Todd.Reagan@nokia.com: "RE: Ethernet Spoofing"
• Previous message: david: "RE: Please confirm (conf#0223629abf43bef0a8aad44de6c5e329)"
• Next in thread: Todd.Reagan@nokia.com: "RE: Ethernet Spoofing"
• Maybe reply: Todd.Reagan@nokia.com: "RE: Ethernet Spoofing"
• Maybe reply: Donny MATEO: "Re: Ethernet Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:50 GMT-3