ASA 5505 Security Tips

Unanswered Question
Jan 9th, 2008
User Badges:

My company is using an ASA 5505 for security. I've enable IP Audit and IP verify reverse-path. Are there any other securities tips build in the device? Or, what is the best way to secure your network with ASA 5505

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Wed, 01/09/2008 - 20:30
User Badges:
  • Cisco Employee,

The best way to secure your network with it is to simply plug it in between the Internet and your network. By default all outbound traffic (to the Internet) will be allowed (assuming you set up NAT rules as necessary) and all inbound traffic (from the Internet) will be denied.

If you don't specifically allow any inbound traffic into your network then "ip audit" is not going to be of much use to you, and "ip verify reverse-path" will benefit the rest of the Internet community by not allowing any of your internal PC's to send out spoofed packets.

If you need to allow inbound traffic make sure to only allow the bare minimum in, that is specifically define the protocol, port and destination IP addresses in your access-list. Turn on protocol inspection using the "inspect ..." command if there is an inspection for the protocol in question.

Set up a syslog server and log all your level 1-4 syslog messages to it and archive them off for future reference.

Other than that, have fun and relax.


This Discussion