Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA best practices

(I) Apart from the default configuration on ASA, what features do you guys usually enable for extra protection? I already have another IPS hence not doing any 'ip audits'. Any suggestions would be appreciated

(II) I use these parameters for logging. Do they look okay?

logging enable

logging buffer-size 1048576

logging monitor alerts

logging buffered debugging

logging trap warnings

logging asdm warnings

logging host inside x.x.x.x


Re: ASA best practices

(I) You can enable the anti-spoofing feature - ip verify reverse-path (Unicast RPF)

This is to guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

Normally applied on Outside interface facing internet/external network.

Command: ip verify reverse-path interface interface_name

ASA(config)#ip verify reverse-path interface outside

But as per Cisco SAFE Blueprint suggestions, network security has to be in a form of multilayer of security, involving security-specific devices such as firewalls, IDS/IPS, secure remote access devices (IPSec VPN), identity authentication devices and non-security-specific devices such as routers and switches. It will be a good idea to incorporate them all, if possible.

(II) Looks fine, but you can also trim down the buffer logging level to 1 step lower to 'informational' or 'notification'level. This can help you to zoom to useful log information. Debugging is useful when perform troubleshooting. But no exact rules what level must be enabled/used. Without debugging level, you can save buffer space - no unwanted log info unless if needed.



Re: ASA best practices

CreatePlease login to create content