Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Spoofing

I'm in the process of setting up 2 ASA 5510 with Active/Standby Failover. I'm in the process of testing right now. I have a question about the Anti-spoofing feature. I've done some reading and got some mixed suggestions. Should just be turned on my outside and 2 DMZ interfaces so that RPF can be done on a sourced IP address? Or is this only done on the Inside interface which is where I want everthing protected?

4 REPLIES

Re: ASA Spoofing

You should have RPF on DMZ interfaces enabled as well, it also provides additional protection even if enabled on the inside interface as well. In fact RFP is used as best practice for security even from within your inside network, is not a requirement though for inside network devices. Personally I do have all interfaces on of our firewalls configured for RPF checks.

Cisco Guide to Harden Cisco IOS Devices

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Understanding Unicast Reverse Path Forwarding

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Rgds

Jorge

New Member

Re: ASA Spoofing

Thanks Jorge

Re: ASA Spoofing

You are very wellcome, please rate helpful posts.

Rgds

Jorge

New Member

Re: ASA Spoofing

done

942
Views
5
Helpful
4
Replies
CreatePlease login to create content