Ingress filtering with a VPN

[Bubbalouie]

I need some help wrapping my head around anti-spoofing ACL lists.

I'm running a site-to-site vpn between a cisco 1750 and a PIX 506. On the router I'm wanting to tighten up the security on the inbound ethernet0 interface. The internal network at the router is 192.168.3.0 0.255.255.255 and there are two internal networks at the PIX 192.168.1.0 0.255.255.255 and 192.168.6.0 0.255.255.255

The current access list looks like:

access-list 16 deny 192.168.3.0 0.0.0.255
access-list 16 deny 12.166.0.0 0.0.255.255
access-list 16 permit any

I'm wanting to replace with this:

Extended IP access list IngressFilter
10 permit tcp any any established (5041 matches)
20 deny ip 127.0.0.0 0.255.255.255 any
30 deny ip 10.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any (35 matches)
60 deny ip 224.0.0.0 15.255.255.255 any
70 deny ip 240.0.0.0 7.255.255.255 any
80 permit ip any any (1797 matches)

As you can see by line 50, I'm blocking my own incoming vpn traffic when I apply it!

If I understand the article I'm reading on anti-spoofing, I still need to block the 192.168.'s. If I add a permit at the start of the ACL that will permit 1.0 and 6.0 doesn't that kinda defeat my purpose?

 

[North323]

not with an access list. you can use ip verify reverse path. this will verify the source of the IP is not coming from your own network or not spoofed