dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
17

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to DarkLogix

MVM

to DarkLogix

Re: [CCNA] Explicit deny in ACL's

Well thats just wtf. I cant begin to imagine how on earth they could identify something like that.

They would have to litterally be sitting at the other end of your WAN link, sending packets to your router with a different destination address to your router, such that your router would NAT them, and then on the way back de-NAT (is that even a term?) and send back to them on the other side of the WAN link.

Otherwise, how on earth are they sending packets to your router over the greater internet from more than 1 hop away, when the intermediate routers are just going to route the packet to the destination address in the packets???

The only other way I can think to do this is over a tunnel. But its a highly unlikely situation requiring lots of hackery, and not likely to be a widely enough exploitable thing to worry about.

So indeed a very odd thing, I would like to know more...

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix

Premium Member

said by TomS_:

So indeed a very odd thing, I would like to know more...

Ya
it was weird and when it happened I was like WTF.
IIRC it was on a 2651 router back around 2006 or so. (maybe a bit earlier)

I would guess they'd have to give themselves some funky rout that let them know of the hops from them to me then give a default route of my router.

But ya if I could find that site again I think I'd try to figure out how they were checking.
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

"ip source-route"??? That's the only simple way to get traffic to enter and then turn around a leave the same interface. Even in '06 you should've had that turned off.

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix

Premium Member

But having a NAT ACL of
permit 10.0.0.0 0.0.0.255

should have only allowed my traffic to be nated (I don't think that other command was there but still.) If the implicit deny was functioning right I should never have had to change it to

Permit 10.0.0.0 0.0.0.255
Deny any