Re: Ethernet Spoofing

From: Donny MATEO (donny.mateo@sg.ca-indosuez.com)
Date: Wed Apr 09 2003 - 22:58:55 GMT-3

Hi Hunt,

the key is on the ACL's direction which is out in the perspective of the router.
The first one is deny any packet coming out from the route F0/0 interface going to the internal network, which will deny all packet from going to 172.26.1.0/24 (bad thing)

And the latter one will deny any packet coming out from the router F0/0 interface with a source IP address of 172.26.1.0/24, which is what you want.

Regards,
Donny

                                                                                                                                       
                      Hunt Lee
                      <huntl@webcentral To: "'ccielab@groupstudy.com'" <ccielab@groupstudy.com>
                      .com.au> cc:
                      Sent by: Subject: Ethernet Spoofing
                      nobody@groupstudy
                      .com
                                                                                                                                       
                                                                                                                                       
                      10-04-2003 07:15
                      Please respond to
                      Hunt Lee
                                                                                                                                       
                                                                                                                                       

Hi Group,

                         |
(s1/0.1)--- R14 ---| (fa0/0)
                         |

R14 is using CBAC. S0/0 is the outside interface for CBAC, while fa0/0 is
theinside interface.

Now, if a question says "block spoofing for the FastEthernet interface"...

interface FastEthernet0/0
 ip address 172.26.1.14 255.255.255.0
 ip access-group 103 out
 ip nat inside
 ip inspect FW in
 duplex auto
 speed auto

For the ACL 103, would I need:-

access-list 103 deny ip any 172.26.1.0 0.0.0.255
access-list 103 permit ip any any

OR this?

access-list 103 deny ip 172.26.1.0 0.0.0.255 any
access-list 103 permit ip any any

I would think the 1st one is the correct one, however, the answer claims
that the
latter one is correct... can anyone see any logic in this?

And for completeness, here is the answer config for the entire router ;)

r14#sh run
Building configuration...
!
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW cuseeme
ip inspect name FW ftp
ip inspect name FW h323
ip inspect name FW rcmd
ip inspect name FW realaudio
ip inspect name FW smtp
ip inspect name FW streamworks
ip inspect name FW vdolive
ip inspect name FW sqlnet
ip inspect name FW tftp
ip audit notify log
ip audit po max-events 100
!
class-map match-all classvoip
  match access-group 199
!
!
policy-map policyvoip
  class classvoip
    priority 26
  class class-default
   fair-queue
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key thor address 172.27.2.13
!
!
crypto ipsec transform-set rt10 esp-des esp-sha-hmac
!
crypto map securevpn 10 ipsec-isakmp
 set peer 172.27.2.13
 set transform-set rt10
 match address 123
!
!
interface Tunnel0
 ip address 23.1.1.14 255.255.255.0
 tunnel source 172.28.1.14
 tunnel destination 172.27.2.13
 crypto map securevpn
!
interface Tunnel2
 ip address 100.1.2.14 255.255.255.0
 tunnel source 172.28.1.14
 tunnel destination 62.5.1.3
!
interface Tunnel3
 ip address 99.1.1.14 255.255.255.0
 tunnel source 100.1.2.14
 tunnel destination 100.1.1.8
!
interface FastEthernet0/0
 ip address 172.26.1.14 255.255.255.0
 ip access-group 103 out
 ip nat inside
 ip inspect FW in
 duplex auto
 speed auto
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
 no fair-queue
 frame-relay traffic-shaping
!
interface Serial1/0.1 point-to-point
 ip address 172.28.1.14 255.255.255.240
 ip access-group 104 in
 ip nat outside
 ip ospf network broadcast
 frame-relay class frvoip
 frame-relay interface-dlci 146
 crypto map securevpn
!
router ospf 10
 log-adjacency-changes
 network 172.28.1.0 0.0.0.15 area 0
!
router rip
 version 2
 network 100.0.0.0
!
ip local policy route-map frvoipsetup
ip kerberos source-interface any
ip nat inside source list 1 interface Serial1/0.1 overload
ip nat inside source static 172.26.1.10 172.28.1.10
ip classless
no ip http server
!
!
map-class frame-relay frvoip
 frame-relay cir 64000
 frame-relay bc 640
 frame-relay be 0
 no frame-relay adaptive-shaping
 service-policy output policyvoip
access-list 1 permit 172.26.1.0 0.0.0.255
access-list 103 deny ip 172.26.1.0 0.0.0.255 any
access-list 103 permit ip any any
access-list 104 permit ospf host 172.28.1.6 any
access-list 104 permit udp host 172.27.2.13 host 172.28.1.14 range 16383
20000
access-list 104 permit tcp host 172.27.2.13 eq 1720 host 172.28.1.14
access-list 104 permit tcp host 172.27.2.13 host 172.28.1.14 range 11000
11999
access-list 104 permit esp host 172.27.2.13 host 172.28.1.14
access-list 104 permit udp host 172.27.2.13 eq isakmp host 172.28.1.14
access-list 104 permit tcp any host 172.28.1.10 eq smtp
access-list 104 permit tcp any host 172.28.1.10 eq www
access-list 104 permit tcp any host 172.28.1.10 eq pop3
access-list 104 permit tcp any host 172.28.1.10 eq ftp
access-list 104 permit gre host 62.5.1.3 host 172.28.1.14
access-list 104 permit gre host 172.28.1.14 host 62.5.1.3
access-list 104 permit icmp any any
access-list 123 permit ip 172.26.1.0 0.0.0.255 172.27.3.0 0.0.0.15
access-list 123 permit ip host 172.28.1.14 host 172.27.2.13
access-list 199 permit udp any any range 16383 20000
access-list 199 permit tcp any eq 1720 any
access-list 199 permit tcp any any eq 1720
access-list 199 permit tcp any any range 11000 11999
route-map frvoipsetup permit 10
 match ip address 199
 set ip precedence critical
!
!
!
voice-port 3/0/0
!
voice-port 3/0/1
 connection plar 411
!
dial-peer cor custom
!
!
!
dial-peer voice 10 voip
 destination-pattern 411
 session target ipv4:172.27.2.13
 ip precedence 5
 no vad
!
dial-peer voice 20 voip
 destination-pattern 8675309
 session target ipv4:172.27.2.13
 ip precedence 5
 no vad
!
dial-peer voice 30 voip
 destination-pattern 3001
 session target ipv4:172.27.2.13
 ip precedence 5
 no vad
!
num-exp 867 8675309
num-exp 1900....... 3001
!
end

Any help will be greatly appreciated.

Regards,
Hunt

This message is for information purposes only and its content
should not be construed as an offer, or solicitation of an offer,
to buy or sell any banking or financial instruments or services
and no representation or warranty is given in respect of its
accuracy, completeness or fairness. The material is subject
to change without notice. You should take your own independent
tax, legal and other professional advice in respect of the content
of this message. This message may contain confidential or
legally privileged material and may not be copied, redistributed
or published (in whole or in part) without our prior written consent.
This email may have been intercepted, partially destroyed,
arrive late, incomplete or contain viruses and no liability is
accepted by any member of the Credit Agricole Indosuez group
as a result. If you are not the intended recipient of this message,
please immediately notify the sender and delete this message
from your computer.

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:50 GMT-3