If you're like me, you may find yourself running into security rules specified by people who write rules for stupid people. They may have a rule that says "Your firewall can have no "permit any" rules of any kind!" Now, I completely understand that. But there are certainly plenty of good reasons to not use those rules. But in a properly implemented firewall design, the occasional permit rule with an "any" in it somewhere is suitable. At least when properly guarded by a well-constructed set of deny rules.
Since the body that audits us requires that we have no permit statements with an "any" of any sort in it, I've had to create a way of permitting access to the internet. I could've, within the letter of the regulations, just created a group that contains something like
- permit 0.0.0.0 /1
- permit 128.0.0.0 /1
and called it a day. Within the letter, certainly. Not within the spirit. Besides, we all know full well that there's martians and bogons out there that we'd rather not communicate with. Our gear can't reach out and collect the bogon list, so I created an ACL that's the inverse of the martian list (see Cymru and RFC5735). Since static blocking of bogons is a Bad Idea, I ignored the bogons, and just filtered the martians.
Below I've created two different ways to filter the martians: The first is for Cisco ASAs running 8.3 and later. That permits Range network objects, and makes this a piece of cake. 8.2 and previous, you're stuck with subnets, and it's a bit of a mess.
It turns out that the placement of some of the reserved spaces is about as sub-optimal as possible for inversion (not on power-of-2 bit boundaries), making the inverted list extremely lengthy
Rather than this lengthy and performance impacting group, it could be better to create a minimally
strict "internet" group, containing the whole range 1.0.0.0 - 223.255.255.255 (a subset of the group
below). You'd then create a martian list. The ACL would first deny the martians, then permit the broad
internet group, followed by the implicit deny all. That might not fly with the compliance folks I have to satisfy though, so I went ahead and created this mess.
I started with the martian list, using RFC5735.
!RFC 5735 Special Use IPv4 Addresses (Cymru "martians")
!
!0.0.0.0/8 "This" Network RFC 1122, Section 3.2.1.3
!10.0.0.0/8 Private-Use Networks RFC 1918
!127.0.0.0/8 Loopback RFC 1122, Section 3.2.1.3
!169.254.0.0/16 Link Local RFC 3927
!172.16.0.0/12 Private-Use Networks RFC 1918
!192.0.0.0/24 IETF Protocol Assignments RFC 5736
!192.0.2.0/24 TEST-NET-1 RFC 5737
!192.168.0.0/16 Private-Use Networks RFC 1918
!198.18.0.0/15 Network Interconnect
! Device Benchmark Testing RFC 2544
!198.51.100.0/24 TEST-NET-2 RFC 5737
!203.0.113.0/24 TEST-NET-3 RFC 5737
!224.0.0.0/4 Multicast RFC 3171
!240.0.0.0/4 Reserved for Future Use RFC 1112, Section 4
!255.255.255.255/32 Limited Broadcast RFC 919, Section 7
! RFC 922, Section 7
Edit: We now need to add the RFC6598 CGN Private Network
!100.64.0.0/10 CGN Private Networks RFC 6598
Then built the complete list of subnets, using the largest possible subnets.
(Exclude 0.0.0.0 - 0.255.255.255)
1.0.0.0 /8 = 1.0.0.0 - 1.255.255.255
2.0.0.0 /7 = 2.0.0.0 - 3.255.255.255
4.0.0.0 /6 = 4.0.0.0 - 7.255.255.255
8.0.0.0 /7 = 8.0.0.0 - 9.255.255.255
(Exclude 10.0.0.0 - 10.255.255.255)
11.0.0.0 /8 = 11.0.0.0 - 11.255.255.255
12.0.0.0 /6 = 12.0.0.0 - 15.255.255.255
16.0.0.0 /4 = 16.0.0.0 - 31.255.255.255
32.0.0.0 /3 = 32.0.0.0 - 63.255.255.255
64.0.0.0 /3 = 64.0.0.0 - 95.255.255.255
96.0.0.0 /6 = 96.0.0.0 - 99.255.255.255
100.0.0.0 /10 = 100.0.0.0 - 100.63.255.255
(Exclude 100.64.0.0 - 100.127.255.255)
100.128.0.0 /9 = 100.128.0.0 - 100.255.255.255
101.0.0.0 /8 = 101.0.0.0 - 101.255.255.255
102.0.0.0 /7 = 102.0.0.0 - 103.255.255.255
104.0.0.0 /5 = 104.0.0.0 - 111.255.255.255
112.0.0.0 /5 = 112.0.0.0 - 119.255.255.255
120.0.0.0 /6 = 120.0.0.0 - 123.255.255.255
124.0.0.0 /7 = 124.0.0.0 - 125.255.255.255
126.0.0.0 /8 = 126.0.0.0 - 126.255.255.255
(Exclude 127.0.0.0 - 127.255.255.255)
128.0.0.0 /3 = 128.0.0.0 - 159.255.255.255
160.0.0.0 /5 = 160.0.0.0 - 167.255.255.255
168.0.0.0 /8 = 168.0.0.0 - 168.255.255.255
169.0.0.0 /9 = 169.0.0.0 - 169.127.255.255
169.128.0.0 /10 = 169.128.0.0 - 169.191.255.255
169.192.0.0 /11 = 169.192.0.0 - 169.223.255.255
169.224.0.0 /12 = 169.224.0.0 - 169.239.255.255
169.240.0.0 /13 = 169.240.0.0 - 169.247.255.255
169.248.0.0 /14 = 169.248.0.0 - 169.251.255.255
169.252.0.0 /15 = 169.252.0.0 - 169.253.255.255
(Exclude 169.254.0.0 - 169.254.255.255)
169.255.0.0 /16 = 169.255.0.0 - 169.255.255.255
170.0.0.0 /7 = 170.0.0.0 - 171.255.255.255
172.0.0.0 /12 = 172.0.0.0 - 172.15.255.255
(Exclude 172.16.0.0 - 172.31.255.255)
172.32.0.0 /11 = 172.32.0.0 - 172.63.255.255
172.64.0.0 /10 = 172.64.0.0 - 172.127.255.255
172.128.0.0 /9 = 172.128.0.0 - 172.255.255.255
173.0.0.0 /8 = 173.0.0.0 - 173.255.255.255
174.0.0.0 /7 = 174.0.0.0 - 175.255.255.255
176.0.0.0 /4 = 176.0.0.0 - 191.255.255.255
(Exclude 192.0.0.0 - 192.0.0.255)
192.0.1.0 /24 = 192.0.1.0 - 192.0.1.255
(Exclude 192.0.2.0 - 192.0.2.255)
192.0.3.0 /24 = 192.0.3.0 - 192.0.3.255
192.0.4.0 /22 = 192.0.4.0 - 198.0.7.255
192.0.8.0 /21 = 192.0.8.0 - 192.0.15.255
192.0.16.0 /20 = 192.0.16.0 - 192.0.31.255
192.0.32.0 /19 = 192.0.32.0 - 192.0.63.255
192.0.64.0 /18 = 192.0.64.0 - 192.0.127.255
192.0.128.0 /17 = 192.0.128.0 - 192.0.255.255
192.1.0.0 /16 = 192.1.0.0 - 192.1.255.255
192.2.0.0 /15 = 192.2.0.0 - 192.3.255.255
192.4.0.0 /14 = 192.4.0.0 - 192.7.255.255
192.8.0.0 /13 = 192.8.0.0 - 192.15.255.255
192.16.0.0 /12 = 192.16.0.0 - 192.31.255.255
192.32.0.0 /11 = 192.32.0.0 - 192.63.255.255
192.64.0.0 /10 = 192.64.0.0 - 192.127.255.255
192.128.0.0 /11 = 192.128.0.0 - 192.159.255.255
192.160.0.0 /13 = 192.160.0.0 - 192.167.255.255
(Exclude 192.168.0.0 /16)
192.169.0.0 /16 = 192.169.0.0 - 192.169.255.255
192.170.0.0 /15 = 192.170.0.0 - 192.171.255.255
192.172.0.0 /14 = 192.172.0.0 - 192.175.255.255
192.176.0.0 /12 = 192.176.0.0 - 192.191.255.255
192.192.0.0 /10 = 192.192.0.0 - 192.255.255.255
193.0.0.0 /8 = 193.0.0.0 - 193.255.255.255
194.0.0.0 /7 = 194.0.0.0 - 195.255.255.255
196.0.0.0 /7 = 196.0.0.0 - 197.255.255.255
198.0.0.0 /12 = 198.0.0.0 - 198.15.255.255
198.16.0.0 /15 = 198.16.0.0 - 198.17.255.255
(Exclude 198.18.0.0 /15)
198.20.0.0 /14 = 198.20.0.0 - 198.23.255.255
198.24.0.0 /13 = 198.24.0.0 - 198.31.255.255
198.32.0.0 /12 = 198.32.0.0 - 198.47.255.255
198.48.0.0 /15 = 198.48.0.0 - 198.49.255.255
198.50.0.0 /16 = 198.50.0.0 - 198.50.255.255
198.51.0.0 /18 = 198.51.0.0 - 198.51.63.244
198.51.64.0 /19 = 198.51.64.0 - 198.51.95.255
198.51.96.0 /22 = 198.51.96.0 - 198.51.99.255
(Exclude 198.51.100.0/24)
198.51.101.0 /24 = 198.51.101.0 - 198.51.101.255
198.51.102.0 /23 = 198.51.102.0 - 198.51.103.255
198.51.104.0 /21 = 192.51.104.0 - 198.51.111.255
198.51.112.0 /20 = 198.51.112.0 - 198.51.127.255
198.51.128.0 /17 = 198.51.128.0 - 198.51.255.255
198.52.0.0 /14 = 198.52.0.0 - 192.55.255.255
198.56.0.0 /13 = 198.56.0.0 - 198.63.255.255
198.64.0.0 /10 = 198.64.0.0 - 198.127.255.255
198.128.0.0 /9 = 198.128.0.0 - 192.255.255.255
199.0.0.0 /8 = 199.0.0.0 - 199.255.255.255
200.0.0.0 /7 = 200.0.0.0 - 201.255.255.255
202.0.0.0 /8 = 202.0.0.0 - 202.255.255.255
203.0.0.0 /18 = 203.0.0.0 - 203.0.63.255
203.0.64.0 /19 = 203.0.64.0 - 203.0.95.255
203.0.96.0 /20 = 203.0.96.0 - 203.0.111.255
203.0.112.0 /24 = 203.0.112.0 - 203.0.112.255
(Exclude 203.0.113.0/24)
203.0.114.0 /23 = 203.0.114.0 - 203.0.115.255
203.0.116.0 /22 = 203.0.116.0 - 203.0.119.255
203.0.120.0 /21 = 203.0.120.0 - 203.0.127.255
203.0.128.0 /17 = 203.0.128.0 - 203.0.255.255
203.1.0.0 /16 = 203.1.0.0 - 203.1.255.255
203.2.0.0 /15 = 203.2.0.0 - 203.3.255.255
203.4.0.0 /14 = 203.4.0.0 - 203.7.255.255
203.8.0.0 /13 = 203.8.0.0 - 203.15.255.255
203.16.0.0 /12 = 203.16.0.0 - 203.31.255.255
203.32.0.0 /11 = 203.32.0.0 - 203.63.255.255
203.64.0.0 /10 = 203.64.0.0 - 203.127.255.255
203.128.0.0 /9 = 203.128.0.0 - 203.255.255.255
204.0.0.0 /6 = 204.0.0.0 - 207.255.255.255
208.0.0.0 /4 = 208.0.0.0 - 223.255.255.255
(Exclude 224.0.0.0 - 255.255.255.255)
Finally, created an ASA script out of that:
! ASA config-script, subnet-based. (Good for 8.2 and previous)
! This will create a bunch of unnamed network objects that you may or may not hate. YMMV.
object-group network NET-INET-VALID
network-object 1.0.0.0 255.0.0.0
network-object 2.0.0.0 254.0.0.0
network-object 4.0.0.0 252.0.0.0
network-object 8.0.0.0 254.0.0.0
network-object 11.0.0.0 255.0.0.0
network-object 12.0.0.0 252.0.0.0
network-object 16.0.0.0 240.0.0.0
network-object 32.0.0.0 224.0.0.0
network-object 64.0.0.0 224.0.0.0
network-object 96.0.0.0 240.0.0.0
network-object 112.0.0.0 248.0.0.0
network-object 120.0.0.0 252.0.0.0
network-object 124.0.0.0 254.0.0.0
network-object 126.0.0.0 255.0.0.0
network-object 128.0.0.0 224.0.0.0
network-object 160.0.0.0 248.0.0.0
network-object 168.0.0.0 255.0.0.0
network-object 169.0.0.0 255.128.0.0
network-object 169.128.0.0 255.192.0.0
network-object 169.192.0.0 255.224.0.0
network-object 169.224.0.0 255.240.0.0
network-object 169.240.0.0 255.248.0.0
network-object 169.248.0.0 255.252.0.0
network-object 169.252.0.0 255.254.0.0
network-object 169.255.0.0 255.255.0.0
network-object 170.0.0.0 254.0.0.0
network-object 172.0.0.0 255.240.0.0
network-object 172.32.0.0 255.224.0.0
network-object 172.64.0.0 255.192.0.0
network-object 172.128.0.0 255.128.0.0
network-object 173.0.0.0 255.0.0.0
network-object 174.0.0.0 254.0.0.0
network-object 176.0.0.0 240.0.0.0
network-object 192.0.1.0 255.255.255.0
network-object 192.0.3.0 255.255.255.0
network-object 192.0.4.0 255.255.252.0
network-object 192.0.8.0 255.255.248.0
network-object 192.0.16.0 255.255.240.0
network-object 192.0.32.0 255.255.224.0
network-object 192.0.64.0 255.255.192.0
network-object 192.0.128.0 255.255.128.0
network-object 192.1.0.0 255.255.0.0
network-object 192.2.0.0 255.254.0.0
network-object 192.4.0.0 255.252.0.0
network-object 192.8.0.0 255.248.0.0
network-object 192.16.0.0 255.240.0.0
network-object 192.32.0.0 255.224.0.0
network-object 192.64.0.0 255.192.0.0
network-object 192.128.0.0 255.224.0.0
network-object 192.160.0.0 255.248.0.0
network-object 192.169.0.0 255.255.0.0
network-object 192.170.0.0 255.254.0.0
network-object 192.172.0.0 255.252.0.0
network-object 192.176.0.0 255.248.0.0
network-object 192.184.0.0 255.248.0.0
network-object 192.192.0.0 255.192.0.0
network-object 193.0.0.0 255.0.0.0
network-object 194.0.0.0 254.0.0.0
network-object 196.0.0.0 254.0.0.0
network-object 198.0.0.0 255.240.0.0
network-object 198.16.0.0 255.254.0.0
network-object 198.20.0.0 255.252.0.0
network-object 198.24.0.0 255.248.0.0
network-object 198.32.0.0 255.240.0.0
network-object 198.48.0.0 255.254.0.0
network-object 198.50.0.0 255.255.0.0
network-object 198.51.0.0 255.255.192.0
network-object 198.51.64.0 255.255.224.0
network-object 198.51.96.0 255.255.252.0
network-object 198.51.101.0 255.255.255.0
network-object 198.51.102.0 255.255.254.0
network-object 198.51.104.0 255.255.248.0
network-object 198.51.112.0 255.255.240.0
network-object 198.51.128.0 255.255.128.0
network-object 198.52.0.0 255.252.0.0
network-object 198.56.0.0 255.248.0.0
network-object 198.64.0.0 255.192.0.0
network-object 198.128.0.0 255.128.0.0
network-object 199.0.0.0 255.0.0.0
network-object 200.0.0.0 254.0.0.0
network-object 202.0.0.0 255.0.0.0
network-object 203.0.0.0 255.255.192.0
network-object 203.0.64.0 255.255.224.0
network-object 203.0.96.0 255.255.240.0
network-object 203.0.112.0 255.255.255.0
network-object 203.0.114.0 255.255.254.0
network-object 203.0.116.0 255.255.252.0
network-object 203.0.120.0 255.255.248.0
network-object 203.0.128.0 255.255.128.0
network-object 203.1.0.0 255.255.0.0
network-object 203.2.0.0 255.254.0.0
network-object 203.4.0.0 255.252.0.0
network-object 203.8.0.0 255.248.0.0
network-object 203.16.0.0 255.240.0.0
network-object 203.32.0.0 255.224.0.0
network-object 203.64.0.0 255.192.0.0
network-object 203.128.0.0 255.128.0.0network-object 204.0.0.0 252.0.0.0
network-object 208.0.0.0 240.0.0.0
For those of you lucky enough to be running 8.3 or later, there's also this much simpler range-based version:
! ASA Config script, Range-based (for ASA 8.3 and up)
!
object network NET-INET-RANGE1
range 1.0.0.0 9.255.255.255
object network NET-INET-RANGE2
range 11.0.0.0 100.63.255.255
object network NET-INET-RANGE3
range 100.128.0.0 126.255.255.255
object network NET-INET-RANGE4
range 128.0.0.0 169.253.255.255
object network NET-INET-RANGE5
range 169.255.0.0 172.15.255.255
object network NET-INET-RANGE6
range 172.32.0.0 191.255.255.255
object network NET-INET-RANGE7
range 192.0.1.0 192.0.1.255
object network NET-INET-RANGE8
range 192.0.3.0 192.88.98.255
object network NET-INET-RANGE9
range 192.88.100.0 192.167.255.255
object network NET-INET-RANGE10
range 192.169.0.0 198.17.255.255
object network NET-INET-RANGE11
range 198.20.0.0 198.51.99.255
object network NET-INET-RANGE12
range 198.51.101.0 203.0.112.255
object network NET-INET-RANGE13
range 203.0.114.0 223.255.255.255
object-group network NET-INET-VALID
network-object object NET-INET-RANGE1
network-object object NET-INET-RANGE2
network-object object NET-INET-RANGE3
network-object object NET-INET-RANGE4
network-object object NET-INET-RANGE5
network-object object NET-INET-RANGE6
network-object object NET-INET-RANGE7
network-object object NET-INET-RANGE8
network-object object NET-INET-RANGE9
network-object object NET-INET-RANGE10
network-object object NET-INET-RANGE11
network-object object NET-INET-RANGE12
network-object object NET-INET-RANGE13