ASA Spoofing

kareem.afifi · ‎08-13-2008

I'm in the process of setting up 2 ASA 5510 with Active/Standby Failover. I'm in the process of testing right now. I have a question about the Anti-spoofing feature. I've done some reading and got some mixed suggestions. Should just be turned on my outside and 2 DMZ interfaces so that RPF can be done on a sourced IP address? Or is this only done on the Inside interface which is where I want everthing protected?

JORGE RODRIGUEZ · ‎08-13-2008

You should have RPF on DMZ interfaces enabled as well, it also provides additional protection even if enabled on the inside interface as well. In fact RFP is used as best practice for security even from within your inside network, is not a requirement though for inside network devices. Personally I do have all interfaces on of our firewalls configured for RPF checks.

Cisco Guide to Harden Cisco IOS Devices

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Understanding Unicast Reverse Path Forwarding

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Rgds

Jorge

Jorge Rodriguez

kareem.afifi · ‎08-13-2008

Thanks Jorge

JORGE RODRIGUEZ · ‎08-13-2008

You are very wellcome, please rate helpful posts.

Rgds

Jorge

Jorge Rodriguez

kareem.afifi · ‎08-13-2008

done