RFC 2827 is an ingress filter. Adding it as outbound is an advantage. You can add the RFC 3330 addresses too.
When you use NAT and private address for the inner network, you should deny that network in the outbound ACL. With regards Kings On Mon, Jan 31, 2011 at 9:30 AM, Mark Senteza <[email protected]>wrote: > Hey all > > When securing your router according to RFC 2827 for the lab exam, would it > be a good idea to configure both an inbound and an outbound ACL, as in the > configuration below, or just an inbound ACL. > > The configuration assumes the following: > - interface fa0/0 is the unsecure interface > - the following public range is used internally too - 184.1.0.0/16 > > ip access-list ext INBOUND > deny ip 10.0.0.0 0.255.255.255 any > deny ip 172.16.0.0 0.15.255.255 any > deny ip 192.168.0.0 0.0.255.255 any > deny ip 184.1.0.0 0.0.255.255 any > permit ip any any > > > ip access-list ext OUTBOUND > permit ip 10.0.0.0 0.255.255.255 any > permit ip 172.16.0.0 0.15.255.255 any > permit ip 192.168.0.0 0.0.255.255 any > permit ip 184.1.0.0 0.0.255.255 any > deny ip any any > > interface fa 0/0 > ip access-group INBOUND in > ip access-group OUTBOUND out > > > Thanks, > > Mark > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
