I found on the Cisco website an interesting page about protecting core infrastructure which some of the network engineers do like blocking all RFC1918 private IP address ranges. But I never thought about blocking as well all RFC3330 special use IP address ranges.
I think it is worth sharing this information, see below the overview of all RFC1918 and RFC3330:
0.0.0.0/8 "This" Network 10.0.0.0/8 Private Use Networks 14.0.0.0/8 Public-Data Networks 24.0.0.0/8 Cable Television Networks 39.0.0.0/8 Reserved but subject to allocation 127.0.0.0/8 Loopback 128.0.0.0/16 Reserved but subject to allocation 169.254.0.0/16 Link Local 172.16.0.0/12 Private-Use Networks 191.255.0.0/16 Reserved but subject to allocation 192.0.0.0/24 Reserved but subject to allocation 192.0.2.0/24 Test-Net 192.88.99.0/24 6to4 Relay Anycast 192.168.0.0/16 Private-Use Networks 198.18.0.0/15 Network Interconnect Device Benchmark Testing 223.255.255.0/24 Reserved but subject to allocation 224.0.0.0/4 Multicast 240.0.0.0/4 Reserved for Future Use
I got the information directly from the RFC3330 page and it is worth having a look.
If you are a good network engineer you should block externally not only RFC1918 but as well RFC3330 address ranges because they should not traverse the public internet. Even blocking them for outbound traffic would be very useful.
Here an ASA object group:
object-group network rfc3330-subnets description Group of all rfc3330 subnets incl private and special use network-object 0.0.0.0 255.0.0.0 network-object 10.0.0.0 255.0.0.0 network-object 14.0.0.0 255.0.0.0 network-object 24.0.0.0 255.0.0.0 network-object 39.0.0.0 255.0.0.0 network-object 127.0.0.0 255.0.0.0 network-object 128.0.0.0 255.255.0.0 network-object 169.254.0.0 255.255.0.0 network-object 172.16.0.0 255.240.0.0 network-object 191.255.0.0 255.255.0.0 network-object 192.0.0.0 255.255.255.0 network-object 192.0.2.0 255.255.255.0 network-object 192.88.99.0 255.255.255.0 network-object 192.168.0.0 255.255.0.0 network-object 198.18.0.0 255.254.0.0 network-object 223.255.255.0 255.255.255.0 network-object 224.0.0.0 240.0.0.0 network-object 240.0.0.0 240.0.0.0 exit
Creating access-list entry on your outside and inside interface:
access-list acl_outside-inbound remark Blocking all rfc3330 ip address ranges access-list acl_outside-inbound extended deny ip object-group rfc3330-subnets any access-list acl_inside-outbound remark Blocking all rfc3330 ip address ranges access-list acl_inside-outbound extended deny ip object-group rfc3330-subnets any
Here the links to both RFC1918 and RFC3330: