EasyManuals Logo
Home>Cisco>Firewall>5510 - ASA SSL / IPsec VPN Edition

Cisco 5510 - ASA SSL / IPsec VPN Edition User Manual

Cisco 5510 - ASA SSL / IPsec VPN Edition
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1449 background imageLoading...
Page #1449 background image
CHAPTER
1-1
Cisco ASA Series CLI Configuration Guide
1
Using Protection Tools
This chapter describes some of the many tools available to protect your network and includes the
following sections:
• Preventing IP Spoofing, page 1-1
• Configuring the Fragment Size, page 1-2
• Blocking Unwanted Connections, page 1-2
• Configuring IP Audit for Basic IPS Support, page 1-3
Preventing IP Spoofing
This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards
against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring
that all packets have a source IP address that matches the correct source interface according to the
routing table.
Normally, the ASA only looks at the destination address when determining where to forward the packet.
Unicast RPF instructs the ASA to also look at the source address; this is why it is called Reverse Path
Forwarding. For any traffic that you want to allow through the ASA, the ASA routing table must include
a route back to the source address. See RFC 2267 for more information.
For outside traffic, for example, the ASA can use the default route to satisfy the Unicast RPF protection.
If traffic enters from an outside interface, and the source address is not known to the routing table, the
ASA uses the default route to correctly identify the outside interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated
with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface
from an unknown source address, the ASA drops the packet because the matching route (the default
route) indicates the outside interface.
Unicast RPF is implemented as follows:
• ICMP packets have no session, so each packet is checked.
• UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent
packets arriving during the session are checked using an existing state maintained as part of the
session. Non-initial packets are checked to ensure they arrived on the same interface used by the
initial packet.
To enable Unicast RPF, enter the following command:
hostname(config)# ip verify reverse-path interface interface_name

Table of Contents

Other manuals for Cisco 5510 - ASA SSL / IPsec VPN Edition

Preview: Configuration Guide
Configuration Guide1822 pages
Preview: Hardware Installation Guide
Hardware Installation Guide82 pages
Preview: Getting Started Guide
Getting Started Guide208 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco 5510 - ASA SSL / IPsec VPN Edition and is the answer not in the manual?

Cisco 5510 - ASA SSL / IPsec VPN Edition Specifications

General IconGeneral
BrandCisco
Model5510 - ASA SSL / IPsec VPN Edition
CategoryFirewall
LanguageEnglish

Related product manuals