Anti Spoofing

Unanswered Question

I have an AIP-SSM-20 module that I am in the process of upgrading the system images and the signatures.

I was wondering if someone could guide me in the right direction on how to configure an anti-spoofing policy on the sensor.

If you have some sample configs that I could look at or even if you can explain to me how to do it through the GUI I would really appreciate it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Marcin Latosiewicz Fri, 07/02/2010 - 16:37
User Badges:
  • Cisco Employee,

If you mean Anti-IP spoofing -

then it's typically applied on routing devices (firewalls, routers, L3 switches) and not on the firewall.

Unicast RPF is your friend on ASA.

Christopher Dreier Sun, 07/04/2010 - 14:46
User Badges:
  • Silver, 250 points or more


It depends on what type of attack you are attempting to protect against. RPF will help you when a host spoofs an address on an interface where it should not live. For instance, if your internal network is and a packet arrives on the outside of your firewall with a source address of, the appliance can drop the packet due to the information in its routing table. However, SYN floods from the Internet are a different matter. There is a mechanism on the IPS that can help you with this. Please see the document below for the SYN Cookie functionality of IPS Signature 3050/0.

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**
TAC Security Show:


This Discussion