3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Deny internal networks'

Information

This command places the router in access-list configuration mode, where you must define the denied or permitted access conditions by using the deny and permit commands.

Solution

Configure ACL for private source address restrictions from external networks.
hostname(config)#ip access-list extended {name | number}
hostname(config-nacl)#deny ip {internal_networks} any log
hostname(config-nacl)#deny ip 127.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 10.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 0.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 172.16.0.0 0.15.255.255 any log
hostname(config-nacl)#deny ip 192.168.0.0 0.0.255.255 any log
hostname(config-nacl)#deny ip 192.0.2.0 0.0.0.255 any log
hostname(config-nacl)#deny ip 169.254.0.0 0.0.255.255 any log
hostname(config-nacl)#deny ip 224.0.0.0 31.255.255.255 any log
hostname(config-nacl)#deny ip host 255.255.255.255 any log
hostname(config-nacl)#permit {protocol} {source_ip} {source_mask} {destination} {destination_mask} log
hostname(config-nacl)#deny any any log
hostname(config)#interface <external_interface>
hostname(config-if)#access-group <access-list> in

See Also

https://workbench.cisecurity.org/files/508

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(5), 800-53|SC-7(11)

Plugin: Cisco

Control ID: cc5856751834c5bd9c1d7464f99eb642a9e38337d414b49373caff4dea7a1682