[c-nsp] PIX host blocking
barney gumbo
barney.gumbo at gmail.com
Tue Dec 14 12:08:39 EST 2004
I would like to block outbound (from all higher security interfaces)
access to a list of roughly 150 specific /32 hosts on the internet
from my internet gateway points.
Previously this was done using black-hole routing in our internal
routing domain, however our routing tables are just ugly now.
I'd prefer not to manage this using the shun command for a few
reasons. I also think using ACL's for this purpose would create ACL's
that are a bit too large for this purpose- I don't need every packet
to run through a list like that for my purposes. So this brought me
to using black-hole routing on the PIX (statically, not using a
dynamic protocol).
For example I want to block access to 1.1.1.1 from the higher sec
interfaces so the route statement would look like this-
route outside 1.1.1.1 255.255.255.255 <???>
What should the <???> next-hop be? There is no Null0 interface. Can
anyone think of any reasons, performance related or otherwise, to just
use an unreachable network such as 127.0.0.1?
--JS
More information about the cisco-nsp
mailing list