Anti-spoofing Configuration
The CBAC router should have anti-spoofing access lists. That means you should input access lists on all, or nearly all, interfaces, set up to reject any packet that has a source address that's not expected to be on that interface. For example, if the router is an Internet firewall, it should reject all packets coming from the Internet that claim to be from the private network. Similarly, it should reject all packets coming from the private network with source addresses that aren't part of the private network, because anti-spoofing is not optional in either direction.
Disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can help prevent spoofing.
Prevent the firewall from being used as a relay by configuring access lists on any asynchronous Telnet ports.