Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Quick Question on Denying Networks and Netmasks

Status
Not open for further replies.
kfriend

kfriend

MIS
Feb 10, 2003
50
0
0
US

I'm in a Class B network. I was given a complete Class C to setup my internal hosts. I broke this down to 255.255.255.224

Following best security practices, I want to block my internal hosts on the external interface (prevent spoofing)

Wondering if I can block using the class C netmask?

i.e

xxx.xxx.75.0 255.255.255.0 subnetted to xxx.xxx.74.0 255.255.255.24

access-list outside-acl DENY IP xxx.xxx.75.0 255.255.255.0

or do I have to specifically deny each subnet/range?

thanks

MCSE/MCDBA
SANS GIAC + SANS FIREWALL
 
Sort by date Sort by votes
You do not have to deny specific subnets. Doing what you want will work.

However...

The line you wish to implement on the PIX outside really isn't needed. The PIX denies everything by default anyway (unless you specifically permit it in), particularly IP spoofing attempts, so you should already be covered. The following command will also aid in killing spoofs:
ip verify reverse-path interface outside

The best place to do what you want to do is at the Internet router as the traffic is coming into your serial int. While you're at it, also deny 10.0.0.0/8, 172.16.0.0/16 and 192.168.0.0/24
 
Upvote 0 Downvote
I don't control the router =(

My arrangement is a little unconventional. The pix is NOT running at the perimeter, it's actually an internal firewall to aid in securing vital financial servers. We use it to make sure employees aren't playing around where they shouldn't be.

So everything except for the servers are considered untrusted. I have several different "zones" setup, depending on the security level of the servers. One of my zones is setup to allow access to all internal traffic.

Being that my organization uses static IP addresses, and everything behind the firewall is xxx.xxx.75.x 255.255.255.224 I was just wondering if it would be wise to block those addresses on the outside interface just as an added measure.

If you say it's not needed, I won't do it.

Also, does anyone else get alot of crap from 211.0.0.0? Asia network?


MCSE/MCDBA
SANS GIAC + SANS FIREWALL
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
145
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
88
Nitta84
Nitta84
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top