Configure IP Spoofing and IPS Protection With a Cisco ASA 5500 Firewall

Configure IP Spoofing and IPS Protection With a Cisco ASA 5500 Firewall

The Cisco ASA firewall appliance provides great security protection out-of-the box with its default configuration. However, to increase the security protection even further, there are several configuration enhancements that can be used to implement additional security features. Two of these features are IP Spoofing protection and basic Intrusion Prevention (IPS) support.

IP Spoofing Protection
IP spoofing attacks are those that change the actual source IP address of packets to obscure their true origin. This means that packets arriving at a particular interface (e.g inside) must have a valid source IP address that matches the correct source interface according to the firewall routing table. Normally the firewall only looks at the destination address of a packet in order to forward it accordingly. If you enable the IP Spoofing mechanism, the firewall checks also the source address of the packets.

If  for example our inside interface connects to internal network, this means that packets arriving at the inside firewall interface must have a source address in the range otherwise they will be dropped (if IP Spoofing is configured).
The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address.

To enable IP Spoofing protection, enter the following command:

CiscoASA5500(config)# ip verify reverse-path interface “interface_name”

For example, to enable IP spoofing on the inside interface, use the following command:

CiscoASA5500(config)# ip verify reverse-path interface inside


Basic IPS Protection
Although the ASA Firewall supports full IPS functionality with an extra IPS hardware module (AIP-SSM), it supports also basic IPS protection which is built-in by default without using an extra hardware module. The built-in IPS feature supports a basic list of signatures and you can configure the security appliance to perform one or more actions on traffic that matches a signature. The command that implements the basic IPS feature is called “ip audit”.
There are two signature groups embedded in the firewall software: “Informational” and “Attack” signatures. You can define an IP audit policy for each signature group as following:

For informational signatures:

CiscoASA5500 (config)# ip audit name “name” info [action [alarm] [drop] [reset]]

For attack signatures:

CiscoASA5500 (config)# ip audit name “name” attack [action [alarm] [drop] [reset]]

The keywords [alarm], [drop], [reset] define the actions to perform on a malicious packet that matches one of the signatures. [alarm] generates a system message showing that a packet matched a signature, [drop] drops the packet, and [reset] drops the packet and closes the connection.

After defining an IP audit policy (IPS policy) as shown above, we need to attach the policy to a specific interface:

CiscoASA5500(config)# ip audit interface “interface_name” ” policy_name”

Let’s see an actual example:

CiscoASA5500 (config)# ip audit name dropattacks attack action drop

CiscoASA5500 (config)# ip audit interface outside dropattacks

Download the best configuration tutorial for any Cisco ASA 5500 Firewall model Here.

Article from

More Cisco Asa Articles

We are teams that have the same hobbies in Information Technologies and have experienced in many fields regarding Information Technologies .

Related Articles