From: Todd.Reagan@nokia.com
Date: Wed Apr 09 2003 - 21:44:52 GMT-3
Hunt,
I agree that it should be the later. You do not want a packet coming from the external network interface (s1/0) claiming it is from the internal segment (fa0/0). The later acl will deny an external packet sourced from the 172.26.1.0/24 network coming from the s1/0.1 since all outbound traffic from the fa0/0 interface perspective must come from s1/0.1 or the local router.
I hope this helps, I am struggling explaining this without being able to draw!! :-)
Todd
-----Original Message-----
From: ext Hunt Lee [mailto:huntl@webcentral.com.au]
Sent: Wed 4/9/2003 6:15 PM
To: 'ccielab@groupstudy.com'
Cc:
Subject: Ethernet Spoofing
Hi Group,
|
(s1/0.1)--- R14 ---| (fa0/0)
|
R14 is using CBAC. S0/0 is the outside interface for CBAC, while fa0/0 is
theinside interface.
Now, if a question says "block spoofing for the FastEthernet interface"...
interface FastEthernet0/0
ip address 172.26.1.14 255.255.255.0
ip access-group 103 out
ip nat inside
ip inspect FW in
duplex auto
speed auto
For the ACL 103, would I need:-
access-list 103 deny ip any 172.26.1.0 0.0.0.255
access-list 103 permit ip any any
OR this?
access-list 103 deny ip 172.26.1.0 0.0.0.255 any
access-list 103 permit ip any any
I would think the 1st one is the correct one, however, the answer claims
that the
latter one is correct... can anyone see any logic in this?
And for completeness, here is the answer config for the entire router ;)
r14#sh run
Building configuration...
!
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW cuseeme
ip inspect name FW ftp
ip inspect name FW h323
ip inspect name FW rcmd
ip inspect name FW realaudio
ip inspect name FW smtp
ip inspect name FW streamworks
ip inspect name FW vdolive
ip inspect name FW sqlnet
ip inspect name FW tftp
ip audit notify log
ip audit po max-events 100
!
class-map match-all classvoip
match access-group 199
!
!
policy-map policyvoip
class classvoip
priority 26
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key thor address 172.27.2.13
!
!
crypto ipsec transform-set rt10 esp-des esp-sha-hmac
!
crypto map securevpn 10 ipsec-isakmp
set peer 172.27.2.13
set transform-set rt10
match address 123
!
!
interface Tunnel0
ip address 23.1.1.14 255.255.255.0
tunnel source 172.28.1.14
tunnel destination 172.27.2.13
crypto map securevpn
!
interface Tunnel2
ip address 100.1.2.14 255.255.255.0
tunnel source 172.28.1.14
tunnel destination 62.5.1.3
!
interface Tunnel3
ip address 99.1.1.14 255.255.255.0
tunnel source 100.1.2.14
tunnel destination 100.1.1.8
!
interface FastEthernet0/0
ip address 172.26.1.14 255.255.255.0
ip access-group 103 out
ip nat inside
ip inspect FW in
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
interface Serial1/0
no ip address
encapsulation frame-relay
no ip mroute-cache
no fair-queue
frame-relay traffic-shaping
!
interface Serial1/0.1 point-to-point
ip address 172.28.1.14 255.255.255.240
ip access-group 104 in
ip nat outside
ip ospf network broadcast
frame-relay class frvoip
frame-relay interface-dlci 146
crypto map securevpn
!
router ospf 10
log-adjacency-changes
network 172.28.1.0 0.0.0.15 area 0
!
router rip
version 2
network 100.0.0.0
!
ip local policy route-map frvoipsetup
ip kerberos source-interface any
ip nat inside source list 1 interface Serial1/0.1 overload
ip nat inside source static 172.26.1.10 172.28.1.10
ip classless
no ip http server
!
!
map-class frame-relay frvoip
frame-relay cir 64000
frame-relay bc 640
frame-relay be 0
no frame-relay adaptive-shaping
service-policy output policyvoip
access-list 1 permit 172.26.1.0 0.0.0.255
access-list 103 deny ip 172.26.1.0 0.0.0.255 any
access-list 103 permit ip any any
access-list 104 permit ospf host 172.28.1.6 any
access-list 104 permit udp host 172.27.2.13 host 172.28.1.14 range 16383
20000
access-list 104 permit tcp host 172.27.2.13 eq 1720 host 172.28.1.14
access-list 104 permit tcp host 172.27.2.13 host 172.28.1.14 range 11000
11999
access-list 104 permit esp host 172.27.2.13 host 172.28.1.14
access-list 104 permit udp host 172.27.2.13 eq isakmp host 172.28.1.14
access-list 104 permit tcp any host 172.28.1.10 eq smtp
access-list 104 permit tcp any host 172.28.1.10 eq www
access-list 104 permit tcp any host 172.28.1.10 eq pop3
access-list 104 permit tcp any host 172.28.1.10 eq ftp
access-list 104 permit gre host 62.5.1.3 host 172.28.1.14
access-list 104 permit gre host 172.28.1.14 host 62.5.1.3
access-list 104 permit icmp any any
access-list 123 permit ip 172.26.1.0 0.0.0.255 172.27.3.0 0.0.0.15
access-list 123 permit ip host 172.28.1.14 host 172.27.2.13
access-list 199 permit udp any any range 16383 20000
access-list 199 permit tcp any eq 1720 any
access-list 199 permit tcp any any eq 1720
access-list 199 permit tcp any any range 11000 11999
route-map frvoipsetup permit 10
match ip address 199
set ip precedence critical
!
!
!
voice-port 3/0/0
!
voice-port 3/0/1
connection plar 411
!
dial-peer cor custom
!
!
!
dial-peer voice 10 voip
destination-pattern 411
session target ipv4:172.27.2.13
ip precedence 5
no vad
!
dial-peer voice 20 voip
destination-pattern 8675309
session target ipv4:172.27.2.13
ip precedence 5
no vad
!
dial-peer voice 30 voip
destination-pattern 3001
session target ipv4:172.27.2.13
ip precedence 5
no vad
!
num-exp 867 8675309
num-exp 1900....... 3001
!
end
Any help will be greatly appreciated.
Regards,
Hunt
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:50 GMT-3