[c-nsp] PIX host blocking
Brian Feeny
signal at shreve.net
Tue Dec 14 12:37:58 EST 2004
If you have a default route, then all networks are reachable, and I
assume
you have a default route.
Brian
On Dec 14, 2004, at 11:08 AM, barney gumbo wrote:
> I would like to block outbound (from all higher security interfaces)
> access to a list of roughly 150 specific /32 hosts on the internet
> from my internet gateway points.
>
> Previously this was done using black-hole routing in our internal
> routing domain, however our routing tables are just ugly now.
>
> I'd prefer not to manage this using the shun command for a few
> reasons. I also think using ACL's for this purpose would create ACL's
> that are a bit too large for this purpose- I don't need every packet
> to run through a list like that for my purposes. So this brought me
> to using black-hole routing on the PIX (statically, not using a
> dynamic protocol).
>
> For example I want to block access to 1.1.1.1 from the higher sec
> interfaces so the route statement would look like this-
> route outside 1.1.1.1 255.255.255.255 <???>
>
> What should the <???> next-hop be? There is no Null0 interface. Can
> anyone think of any reasons, performance related or otherwise, to just
> use an unreachable network such as 127.0.0.1?
>
> --JS
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------------------------------------------------
------
Brian Feeny, CCIE #8036, CISSP e: signal at shreve.net
Network Engineer p: 318.213.4709
ShreveNet Inc. f: 318.221.6612
More information about the cisco-nsp
mailing list