Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Anti-Spooling Rule

Status
Not open for further replies.
isokocons

isokocons

Technical User
Jan 31, 2004
34
US
I know it is not best practice to use a dynamic ip address for ones Firewall object. However, I have this set in my home lab. I have a cable connection to the internet and I obtain IP address dynamically from the Cable modem.

Currently everything is working fine. I can obtain ip address from my cable modem fine and browse the internet, etc etc. But to do this I had to:
1. Disable Spooling (Because when my Windows 2000 server send out request for an IP address to 255.255.255.255, the cable modem replies from an IP address 10.x.x.x and the firewall will drop the packet because of the anti-spooling feature.)I only got it working if I disable anti-spooling.

But, Instead of disabling my anti-spooling feature thus opening my network to attack, I then created a network range eg 10.x.x.x (when the ip address 10.x.x.x) is the coded ip of my cable modem. I then created a rule to allow bootp/bootpc from that ip.

I thought that will work, but each time I enable the anti-spooling feature. It override the rule I created above thus dropping all packets from the cable modem.

Has anyone donw this successfully? I need your contributions and insights.

Thanks.
Isokocons
 
Sort by date Sort by votes
I presume that you are actually talking about anti-SPOOFING?

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Sorry...Yes ANTI-SPOOFING... pardon my fat fingers.

Thanks.
Isokocons
 
Upvote 0 Downvote
for the external range (between firewall and router) you dont need to specify a range it is just "External"
do you have any internal ranges that also use 10.x.x.x ?
 
Upvote 0 Downvote
Unfortuately yes.

I have a single box installation ie Firewall module + Management Staion + GUI client are all installed in one windows 2000 box with two nic card.

The imside NIC card ip is 10.0.0.254 and I cannot change this cos, it is tied to the license. I know I can change the ip from my usercenter, apart from that is there no other solution? So my inside network is of the range 10.0.0.0/8, could this be the problem and if YES, they should be a way of working around it with Anti-spoofing still enabled.

Offcourse, I cannot change my cable modem internal IP, its the cable's that can do that with their special software.

I did not create an external range for this purpose. I only created external to allow some networks in eg me from my office.

Waiting to hear from anyone.

Thanks.
Isokocons
 
Upvote 0 Downvote
does the external ip range vary from 10.0.0.1 to 10.255.255.255 or is it using a smaller block?
if so do you use the whole 10.x.x.x range as well for the internal network or are you just using 10.0.0.x?
you may be able to use different subnet masks for the two networks if they arnt overlapping.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
323
iggsterman
iggsterman
quar
  • Locked
  • Question
Moving a rule
Replies
0
Views
125
quar
quar
disturbedone
  • Locked
  • Question
Access Rule limited to RADIUS group
Replies
0
Views
82
disturbedone
disturbedone
kythri
  • Locked
  • Question
ASA - NAT rule order via CLI?
Replies
3
Views
236
burtsbees
burtsbees
ochie
  • Locked
  • Question
ASA 5505 Ipsec tunnel/firewall deny all rule hitting RTP packets
Replies
0
Views
106
ochie
ochie

Part and Inventory Search

Sponsor

Back
Top