Bubbalouie
Technical User
This is a repost to an earlier question I had. I still haven't quite wrapped my head around it...
-------------------------------------------------------------------------
I need some help wrapping my head around anti-spoofing ACL lists.
I have a central site with a PIX 506e. There are two internal networks at the PIX, 192.168.1.0 0.255.255.255 and 192.168.6.0 0.255.255.255.0. The PIX is on the 192.168.1.0 network.
I have 9 remote sites running site-to-site vpn's from 1750 routers to the PIX 506e. The remote sites are 192.168.2.0 255.255.255.0 thru 192.168.5.0 255.255.255.0 and 192.168.7.0 255.255.255.0 thru 192.168.11.0 255.255.255.0. The routers are all running IOS Version 12.3(16).
The remote sites can access only the 2 networks at the central site, not each other.
On these routers I'm wanting to tighten up the security on the inbound ethernet0 interface.
An example of the current run configs is the router at the 192.168.8.0 0.255.255.255.0 remote site.
The current access list looks like:
access-list 16 deny 192.168.8.0 0.0.0.255
access-list 16 deny 12.166.0.0 0.0.255.255
access-list 16 permit any
I'm wanting to replace with this:
Extended IP access list IngressFilter
10 permit tcp any any established (5041 matches)
20 deny ip 127.0.0.0 0.255.255.255 any
30 deny ip 10.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any (35 matches)
60 deny ip 224.0.0.0 15.255.255.255 any
70 deny ip 240.0.0.0 7.255.255.255 any
80 permit ip any any (1797 matches)
As you can see by line 50, I'm blocking my own incoming vpn traffic when I apply it!
If I understand the article I'm reading on anti-spoofing, I still need to block the 192.168.'s. If I add a permit at the start of the ACL that will permit 1.0 and 6.0 doesn't that kinda defeat my purpose?
Someone had responded to my original post by saying:
'not with an access list. you can use ip verify reverse path. this will verify the source of the IP is not coming from your own network or not spoofed '
I've since read that I should be using:
ip verify unicast source reachable-via
Which is fine. I'm unclear though as to whether I still need to use my access-list? Does 'ip verify unicast source reachable-via' replace the ingress filter I was originally thinking about?
If not, how do I use the Does 'ip verify unicast source reachable-via' command with an ingress filter?
Sorry for being so dense and thanks in advance for any hints, ideas, tips or outright answers!
-------------------------------------------------------------------------
I need some help wrapping my head around anti-spoofing ACL lists.
I have a central site with a PIX 506e. There are two internal networks at the PIX, 192.168.1.0 0.255.255.255 and 192.168.6.0 0.255.255.255.0. The PIX is on the 192.168.1.0 network.
I have 9 remote sites running site-to-site vpn's from 1750 routers to the PIX 506e. The remote sites are 192.168.2.0 255.255.255.0 thru 192.168.5.0 255.255.255.0 and 192.168.7.0 255.255.255.0 thru 192.168.11.0 255.255.255.0. The routers are all running IOS Version 12.3(16).
The remote sites can access only the 2 networks at the central site, not each other.
On these routers I'm wanting to tighten up the security on the inbound ethernet0 interface.
An example of the current run configs is the router at the 192.168.8.0 0.255.255.255.0 remote site.
The current access list looks like:
access-list 16 deny 192.168.8.0 0.0.0.255
access-list 16 deny 12.166.0.0 0.0.255.255
access-list 16 permit any
I'm wanting to replace with this:
Extended IP access list IngressFilter
10 permit tcp any any established (5041 matches)
20 deny ip 127.0.0.0 0.255.255.255 any
30 deny ip 10.0.0.0 0.255.255.255 any
40 deny ip 172.16.0.0 0.15.255.255 any
50 deny ip 192.168.0.0 0.0.255.255 any (35 matches)
60 deny ip 224.0.0.0 15.255.255.255 any
70 deny ip 240.0.0.0 7.255.255.255 any
80 permit ip any any (1797 matches)
As you can see by line 50, I'm blocking my own incoming vpn traffic when I apply it!
If I understand the article I'm reading on anti-spoofing, I still need to block the 192.168.'s. If I add a permit at the start of the ACL that will permit 1.0 and 6.0 doesn't that kinda defeat my purpose?
Someone had responded to my original post by saying:
'not with an access list. you can use ip verify reverse path. this will verify the source of the IP is not coming from your own network or not spoofed '
I've since read that I should be using:
ip verify unicast source reachable-via
Which is fine. I'm unclear though as to whether I still need to use my access-list? Does 'ip verify unicast source reachable-via' replace the ingress filter I was originally thinking about?
If not, how do I use the Does 'ip verify unicast source reachable-via' command with an ingress filter?
Sorry for being so dense and thanks in advance for any hints, ideas, tips or outright answers!