Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA Firewall Configuration / Configuring IPS Protection and IP Spoofing on Cisco ASA 5500 Firewalls

Configuring IPS Protection and IP Spoofing on Cisco ASA 5500 Firewalls

Written By Harris Andrea

The Cisco ASA firewall appliance provides great security protection out-of-the box with its default configuration. However, to increase the security protection even further, there are several configuration enhancements that can be used to implement additional security features. Two of these features are IP Spoofing protection and basic Intrusion Prevention (IPS) support.

IP Spoofing Protection

IP spoofing attacks are those that change the actual source IP address of packets to obscure their true origin. This means that packets arriving at a particular interface (e.g inside) must have a valid source IP address that matches the correct source interface according to the firewall routing table. Normally the firewall only looks at the destination address of a packet in order to forward it accordingly. If you enable the IP Spoofing mechanism, the firewall checks also the source address of the packets.

If for example our inside interface connects to internal network 192.168.1.0/24, this means that packets arriving at the inside firewall interface must have a source address in the range 192.168.1.0/24 otherwise they will be dropped (if IP Spoofing is configured).

MORE READING:  Site to Site VPN between Cisco ASA and Router

The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address.

To enable IP Spoofing protection, enter the following command:

CiscoASA5500(config)# ip verify reverse-path interface “interface_name”

For example, to enable IP spoofing on the inside interface, use the following command:

CiscoASA5500(config)# ip verify reverse-path interface inside

Basic IPS Protection

Although the ASA Firewall supports full IPS functionality with an extra IPS hardware module (AIP-SSM), it supports also basic IPS protection which is built-in by default without using an extra hardware module. The built-in IPS feature supports a basic list of signatures and you can configure the security appliance to perform one or more actions on traffic that matches a signature. The command that implements the basic IPS feature is called “ip audit”.

MORE READING:  Cisco ASA as DHCP Server with Multiple Internal LANs (Configuration)

There are two signature groups embedded in the firewall software: “Informational” and “Attack” signatures. You can define an IP audit policy for each signature group as following:

For informational signatures:

CiscoASA5500 (config)# ip audit name “name” info [action [alarm] [drop] [reset]]

For attack signatures:

CiscoASA5500 (config)# ip audit name “name” attack [action [alarm] [drop] [reset]]

The keywords [alarm], [drop], [reset] define the actions to perform on a malicious packet that matches one of the signatures. [alarm] generates a system message showing that a packet matched a signature, [drop] drops the packet, and [reset] drops the packet and closes the connection.

After defining an IP audit policy (IPS policy) as shown above, we need to attach the policy to a specific interface:

CiscoASA5500(config)# ip audit interface “interface_name” ” policy_name”

Let’s see an actual example:

CiscoASA5500 (config)# ip audit name dropattacks attack action drop
CiscoASA5500 (config)# ip audit interface outside dropattacks

Related Posts

  • Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
  • Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
  • Cisco ASA Firewall Management Interface Configuration (with Example)
  • How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)
  • Cisco ASA Firewall Packet Tracer for Network Troubleshooting

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Terry Gwazdosky says

    June 2, 2010 at 3:07 pm

    Nice article. I’ve found the anti-spoofing feature very handy.

  2. Md Subrun Jamil says

    September 11, 2013 at 5:49 am

    Dear Admin

    I have a ASA firewall where default timeout conn / timeout xlate is 1 hour / 3 hour respectively. MY question is how to set a value other than default one for a specific ip/ip block.

    My ASA IOS Version is 8.4.

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Please help.

    BR//Subrun.
    +8801817183074

  3. Blog Admin says

    September 11, 2013 at 6:42 am

    The timeout connection parameters can be changed using modular policy framework for selective IP addresses or for some protocols as well.

    Example:
    class-map telnet_traffic
    match port tcp eq 23

    class-map to-server
    match access-list serveracl

    policy-map global_policy
    class telnet_traffic
    set connection timeout idle 10:0:0

    class to-server
    set connection timeout idle 1:0:0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2022 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

0 shares