HOWTO:Cisco:FW
Contents |
Enabling
Source address verification is not enabled by default on Cisco ASA, PIX, or FWSM firewalls. Enabling it is done per interface. The command to enable it on an interface is:
ip verify reverse-path interface interface_name
where interface_name is the name of the interface you wish to enable source address verification. This is the one-line command referenced elsewhere on the site.
For situations where the above command does not consider all use cases, an access list can be used. This access list is no different than any other access list configured on an ASA/PIX/FWSM, so your security policy must be included within the same access list. This generally means that you're already denying invalid source addresses because they aren't already explicitly permitted by inbound access lists. However, if the "any" keyword is in use on an inbound access list, you may want to consider the use of an outbound access list on interfaces facing external networks like the Internet.
Sample configuration with both inbound and outbound access lists:
interface Gi0/0 nameif internal interface Gi0/1 nameif external access-list INTERNAL-IN extended permit tcp any any eq https access-list EXTERNAL-OUT extended permit ip valid source network #1 any access-list EXTERNAL-OUT extended permit ip valid source network #2 any access-list EXTERNAL-OUT extended permit ip valid source network #3 any access-group INTERNAL-IN in interface internal access-group EXTERNAL-OUT out interface external
Viewing drops/denials
show log
- View logs, including denials due to failed source verification
Additional commands
show conn count
- Show the count of connections. Useful for baselining performance before and after a configuration change. A much larger connection count after enabling source verification could indicate a problem with your configuration.
show xlate detail
- Shows active connections, including source interfaces for addresses. These source interfaces do not necessarily match the routing table of the firewall.