HOWTO:Cisco:FW

Enabling
Enabling source address verification on a Cisco ASA, PIX, or FWSM is done per interface. The command to enable it on an interface is: ip verify reverse-path interface interface_name where interface_name is the name of the interface you wish to enable source address verification. This is the one-line command referenced elsewhere on the site.

For situations where the above command does not consider all use cases, an access list can be used. This access list is no different than any other access list configured on an ASA/PIX/FWSM, so your security policy must be included within the same access list. This generally means that you're already denying invalid source addresses because they aren't already explicitly permitted. However, if the "any" keyword is in use on an inbound access list, you may want to consider the use of an outbound access list on interfaces facing external networks like the Internet.

Sample configuration with both inbound and outbound access lists: interface Gi0/0 nameif internal interface Gi0/1 nameif external access-list INTERNAL-IN extended permit tcp any any eq https access-list EXTERNAL-OUT extended permit ip valid source network #1 any access-list EXTERNAL-OUT extended permit ip valid source network #2 any access-list EXTERNAL-OUT extended permit ip valid source network #3 any access-group INTERNAL-IN in interface internal access-group EXTERNAL-OUT out interface external

Viewing drops/denials
show log
 * View logs, including denials due to failed source verification

Additional commands
show conn count show xlate detail
 * Show the count of connections. Useful for baselining performance before and after a configuration change.  A much larger connection count after enabling source verification could indicate a problem with your configuration.
 * Shows active connections, including source interfaces for addresses. These source interfaces do not necessarily match the routing table of the firewall.