I found on the Cisco website an interesting page about protecting core infrastructure which some of the network engineers do like blocking all RFC1918 private IP address ranges. But I never thought about blocking as well all RFC3330 special use IP address ranges.
I think it is worth sharing this information, see below the overview of all RFC1918 and RFC3330:
0.0.0.0/8 "This" Network 10.0.0.0/8 Private Use Networks 126.96.36.199/8 Public-Data Networks 188.8.131.52/8 Cable Television Networks 184.108.40.206/8 Reserved but subject to allocation 127.0.0.0/8 Loopback 220.127.116.11/16 Reserved but subject to allocation 169.254.0.0/16 Link Local 172.16.0.0/12 Private-Use Networks 18.104.22.168/16 Reserved but subject to allocation 192.0.0.0/24 Reserved but subject to allocation 192.0.2.0/24 Test-Net 22.214.171.124/24 6to4 Relay Anycast 192.168.0.0/16 Private-Use Networks 198.18.0.0/15 Network Interconnect Device Benchmark Testing 126.96.36.199/24 Reserved but subject to allocation 188.8.131.52/4 Multicast 240.0.0.0/4 Reserved for Future Use
I got the information directly from the RFC3330 page and it is worth having a look.
If you are a good network engineer you should block externally not only RFC1918 but as well RFC3330 address ranges because they should not traverse the public internet. Even blocking them for outbound traffic would be very useful.
Here an ASA object group:
object-group network rfc3330-subnets description Group of all rfc3330 subnets incl private and special use network-object 0.0.0.0 255.0.0.0 network-object 10.0.0.0 255.0.0.0 network-object 184.108.40.206 255.0.0.0 network-object 220.127.116.11 255.0.0.0 network-object 18.104.22.168 255.0.0.0 network-object 127.0.0.0 255.0.0.0 network-object 22.214.171.124 255.255.0.0 network-object 169.254.0.0 255.255.0.0 network-object 172.16.0.0 255.240.0.0 network-object 126.96.36.199 255.255.0.0 network-object 192.0.0.0 255.255.255.0 network-object 192.0.2.0 255.255.255.0 network-object 188.8.131.52 255.255.255.0 network-object 192.168.0.0 255.255.0.0 network-object 198.18.0.0 255.254.0.0 network-object 184.108.40.206 255.255.255.0 network-object 220.127.116.11 240.0.0.0 network-object 240.0.0.0 240.0.0.0 exit
Creating access-list entry on your outside and inside interface:
access-list acl_outside-inbound remark Blocking all rfc3330 ip address ranges access-list acl_outside-inbound extended deny ip object-group rfc3330-subnets any access-list acl_inside-outbound remark Blocking all rfc3330 ip address ranges access-list acl_inside-outbound extended deny ip object-group rfc3330-subnets any
Here the links to both RFC1918 and RFC3330: