This blog was originally started to better help me understand the technologies in the CCIE R&S blueprint; after completing the R&S track I have decided to transition the blog into a technology blog.

CCIE #29033

This blog will continue to include questions, troubleshooting scenarios, and references to existing and new technologies but will grow to include a variety of different platforms and technologies. Currently I have created over 185 questions/answers in regards to the CCIE R&S track!! Note: answers are in the comment field or within "Read More" section.

You can also follow me on twitter @FE80CC1E


Monday, June 17, 2013

RFC 3330 Filtering Using Network Objects

RFC3330 Special-User IPv4 Addresses

Below is a list of special use IPv4 address assigned by IANA and should be blocked inbound on external connections. Most security administrators block RFC1918 but do not realize that RFC3330 includes special use addresses that should not be traversing the internet. RFC3330 includes addresses referenced in multiple RFC's including RFC1918.

   Address Block             Present Use      
   --------------------------------------------------
   0.0.0.0/8            "This" Network              
   10.0.0.0/8           Private-Use Networks                  
   14.0.0.0/8           Public-Data Networks        
   24.0.0.0/8           Cable Television Networks                
   39.0.0.0/8           Reserved but subject to allocation                              
   127.0.0.0/8          Loopback                      
   128.0.0.0/16         Reserved but subject to allocation                              
   169.254.0.0/16       Link Local                                
   172.16.0.0/12        Private-Use Networks                  
   191.255.0.0/16       Reserved but subject to allocation
   192.0.0.0/24         Reserved but subject to allocation
   192.0.2.0/24         Test-Net
   192.88.99.0/24       6to4 Relay Anycast                    
   192.168.0.0/16       Private-Use Networks                
   198.18.0.0/15        Network Interconnect Device Benchmark Testing          
   223.255.255.0/24     Reserved but subject to allocation                          
   224.0.0.0/4          Multicast                          
   240.0.0.0/4          Reserved for Future Use


To block these addresses on an ASA you can leverage network objects. See below:

CREATE OBJECT GROUP
"object-group network RFC3330"
   "network-object 0.0.0.0 255.0.0.0"
   "network-object 10.0.0.0 255.0.0.0"
   "network-object 14.0.0.0 255.0.0.0"
   "network-object 24.0.0.0 255.0.0.0"
   "network-object 39.0.0.0 255.0.0.0"
   "network-object 127.0.0.0 255.0.0.0"
   "network-object 128.0.0.0 255.255.0.0"
   "network-object 169.254.0.0 255.255.0.0"
   "network-object 172.16.0.0 255.240.0.0"
   "network-object 191.255.0.0 255.255.0.0"
   "network-object 192.0.0.0 255.255.255.0"
   "network-object 192.0.2.0 255.255.255.0"
   "network-object 192.88.99.0 255.255.255.0"
   "network-object 192.168.0.0 255.255.0.0"
   "network-object 198.18.0.0 255.254.0.0"
   "network-object 223.255.255.0 255.255.255.0"
   "network-object 224.0.0.0 240.0.0.0"
   "network-object 240.0.0.0 240.0.0.0"

CREATE ACCESSLIST
"access-list outside_inbound deny ip object-group RFC3330 any"

APPLY ACCESS CONTROL LIST TO THE INTERFACE - (Note: you can also be a good internet citizen and block these addresses outbound). In this example we are preventing RFC3330 inbound on the outside interface
"access-group outside_inbound in interface outside"

If you use the above remove the quotes.