08-13-2008 07:36 AM - edited 03-11-2019 06:30 AM
I'm in the process of setting up 2 ASA 5510 with Active/Standby Failover. I'm in the process of testing right now. I have a question about the Anti-spoofing feature. I've done some reading and got some mixed suggestions. Should just be turned on my outside and 2 DMZ interfaces so that RPF can be done on a sourced IP address? Or is this only done on the Inside interface which is where I want everthing protected?
08-13-2008 08:29 AM
You should have RPF on DMZ interfaces enabled as well, it also provides additional protection even if enabled on the inside interface as well. In fact RFP is used as best practice for security even from within your inside network, is not a requirement though for inside network devices. Personally I do have all interfaces on of our firewalls configured for RPF checks.
Cisco Guide to Harden Cisco IOS Devices
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Understanding Unicast Reverse Path Forwarding
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
Rgds
Jorge
08-13-2008 08:59 AM
Thanks Jorge
08-13-2008 09:17 AM
You are very wellcome, please rate helpful posts.
Rgds
Jorge
08-13-2008 09:18 AM
done
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide