RE: RFC 1918 filtering on ISP Edge router

From: Kenneth Wygand (KWygand@customonline.com)
Date: Sat Apr 24 2004 - 22:27:56 GMT-3

• Next message: Berry Mobley: "RE: RFC 1918 filtering on ISP Edge router"
• Previous message: MMoniz: "RE: Dialer Map "name" parameter"
• Maybe in reply to: Carlos Marchini: "RFC 1918 filtering on ISP Edge router"
• Next in thread: Berry Mobley: "RE: RFC 1918 filtering on ISP Edge router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Carlos,

Directly from page 87 of the Router Security Configuration Guide
published by the System and Network Attack Center with the National
Security Agency, specifies that the following addresses (private,
spoofed, automatic, reserved, special [loopback]) should be blocked on
all Internet-connected routers (in addition to ACL lines to block source
address spoofing from external connections):

The following example assumes that this access-list is applied inbound
on your external interfaces. It also assumes that your internal network
is using the 14.2.6.0/24 address space:

<snip>
East(config)# access-list 100 deny ip 14.2.6.0 0.0.0.255 any log
East(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
East(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
East(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
East(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
East(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
East(config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
East(config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
East(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log
East(config)# access-list 100 deny ip host 255.255.255.255 any log
</snip>

Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
Network+, A+
Custom Computer Specialists, Inc.
"The only unattainable goal is the one not attempted."
-Anonymous

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Carlos Marchini
Sent: Saturday, April 24, 2004 7:30 PM
To: ccielab@groupstudy.com
Subject: RFC 1918 filtering on ISP Edge router

I want to setup Private address filtering on my ISP edge router. My ISP
uses
the 10.x.x.x network internally.

This is the config that I am working on. Does anyone find anything wrong
here? Should I be blocking the 127.x.x.x network?

Interface S0/0
Description TO ISP
ip address 10.200.1.1 255.255.255.0
ip access-group 103 in
!
access-list 103 permit 10.200.1.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any

Thanks,
Carlos Marchini

• Next message: Berry Mobley: "RE: RFC 1918 filtering on ISP Edge router"
• Previous message: MMoniz: "RE: Dialer Map "name" parameter"
• Maybe in reply to: Carlos Marchini: "RFC 1918 filtering on ISP Edge router"
• Next in thread: Berry Mobley: "RE: RFC 1918 filtering on ISP Edge router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:55 GMT-3