ASA Spoofing

Unanswered Question
Aug 13th, 2008

I'm in the process of setting up 2 ASA 5510 with Active/Standby Failover. I'm in the process of testing right now. I have a question about the Anti-spoofing feature. I've done some reading and got some mixed suggestions. Should just be turned on my outside and 2 DMZ interfaces so that RPF can be done on a sourced IP address? Or is this only done on the Inside interface which is where I want everthing protected?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Wed, 08/13/2008 - 08:29

You should have RPF on DMZ interfaces enabled as well, it also provides additional protection even if enabled on the inside interface as well. In fact RFP is used as best practice for security even from within your inside network, is not a requirement though for inside network devices. Personally I do have all interfaces on of our firewalls configured for RPF checks.

Cisco Guide to Harden Cisco IOS Devices

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Understanding Unicast Reverse Path Forwarding

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Rgds

Jorge

Actions

This Discussion