Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
5
Helpful
3
Replies

unicast rpf

Go to solution
suthomas1
Level 6
Level 6

‎08-16-2013 04:42 AM - edited ‎03-11-2019 07:26 PM

Hi,

if we enable unicast rpf on asa 5585x, does it mean ip spoofing is enabled? How do we verify this?

is there any other anti spoof mechanisms available in this firewall.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-16-2013 04:52 AM

Hi,

You use the following command

ip verify reverse-path interface

It will mean that the in addition to the normal route lookup with regards to the destination IP address, the ASA will also check its routing table for the source IP address. If it doesnt find a route for the source IP address through the interface which the packet entered in, it will drop it.

After enabling the above command for some interface you can use the following command to verify the statistics

show ip verify statistics

The ASA will also generate log messages from these dropped packets

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-16-2013 04:52 AM

Hi,

You use the following command

ip verify reverse-path interface

It will mean that the in addition to the normal route lookup with regards to the destination IP address, the ASA will also check its routing table for the source IP address. If it doesnt find a route for the source IP address through the interface which the packet entered in, it will drop it.

After enabling the above command for some interface you can use the following command to verify the statistics

show ip verify statistics

The ASA will also generate log messages from these dropped packets

- Jouni

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Jouni Forss

‎08-16-2013 04:55 AM

Thanks. Do we have any other anti spoof mechansims availabe in asa.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to suthomas1

‎08-16-2013 05:04 AM

Hi,

Here is some document even though a bit older one.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Also you could take a look at this discussion (I have not read it through myself but seems to relate to the subject)

https://supportforums.cisco.com/thread/2152269

Seems the ASA Configuration Guide doesnt provide that much specific information in itself

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_tools.html

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card