Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA Firewall Configuration / Prevent Spoofing Attacks on Cisco ASA using RPF

Prevent Spoofing Attacks on Cisco ASA using RPF

Written By Harris Andrea

A common attack found on TCP/IP networks is IP spoofing. This is usually used for Denial-of-Service, Identity hiding, or even to bypass firewalls or Access-Lists security rules. The spoofing attack works like that:

  • A malicious attacker sends packets towards a target host.
  • The attacker disguises itself by inserting a fake source IP into the packet. This fake source IP address in the packet either does not exist at all or it might be a legitimate IP address of some other host located on some other network.
  • The reply traffic from the target will never reach the attacker because the attacker’s source address is bogus. Therefore the identity of the attacker remains unknown.
  • This can cause resource-exhaustion on the target host because it will create several “incomplete” TCP connections in its memory.

A Cisco ASA Firewall can identify a spoofed packet by using Reverse Path Forwarding (RPF or Unicast RPF – uRPF).

RPF can be enabled on a per interface basis. As soon as RPF is enabled on a specific interface, the ASA firewall will examine the source IP address (in addition to the destination address) of each packet arriving at this interface.

MORE READING:  Cisco ASA 5505 Basic Configuration Tutorial Step by Step

Normally, any Layer 3 network device examines only the destination address of packets in order to know how to route the packet.

By examining also the source IP address of the packet, the firewall can verify if the packet is spoofed or not.

The firewall will try to find the reverse route (the path back towards the source) in its routing table. If a reverse route is not found on the interface where the packet arrived, it means that the packet is spoofed and will be dropped immediately.

Lets see the diagram below to clarify the concept of Reverse Path Forwarding:

From the diagram above, an attacker tries to spoof the inside network 192.168.1.0 by using a fake source IP in the packet (fake source IP 192.168.1.1). It sends the packet towards its target host which is 192.168.1.10 (destination address in packet).

On the ASA we have configured RPF on the outside interface as following:

MORE READING:  Cisco ASA NTP and Clock Configuration with Examples

Ciscoasa(config)# ip verify reverse-path interface outside

The ASA will examine the source address of the spoofed inbound packet and will see that source IP 192.168.1.1 belongs to its internal network.

A packet with such a source IP should never arrive from the outside interface. Therefore the packet will be dropped.

The ASA performs the RPF check by using its routing table. The routing table shows that network 192.168.1.0/24 is towards the inside interface of ASA (assume that we have already configured a static route for this internal network).

Checking Statistics of uRPF Dropped Packets

If you want to check how many spoofed packets the ASA has dropped so far, you can run the following commands:

Ciscoasa# show ip verify statistics interface outside  (stats just for the outside interface)

Ciscoasa# show ip verify statistics interface inside (stats just for the inside interface)

Ciscoasa# show ip verify statistics (stats for all interfaces)

Note:

RPF on Cisco ASA works on unicast traffic and checks packets of TCP, UDP and ICMP protocols.

Related Posts

  • Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
  • Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
  • Cisco ASA Firewall Management Interface Configuration (with Example)
  • How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)
  • Cisco ASA Firewall Packet Tracer for Network Troubleshooting

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Bobby says

    February 9, 2010 at 10:38 am

    Great post!

    I’d be curious to know how much of an additional load the ASA’s CPU would take by utlizing this command? A lot? A little? It all depends?

    I guess it depends on the model, how much traffic, and potentially how many other CPU intensive processes are taking place.

  2. BlogAdmin says

    February 9, 2010 at 10:57 am

    Hello Bobby,

    I have it running on a 5540 with medium traffic and the CPU is about 15-20%. I don’t think its a very intensive operation.

  3. Ray Savage says

    September 6, 2022 at 7:25 pm

    Every example of this I have seen, always uses and “internal” address as the spoofed IP. what if…. a person has knowledge of an APPROVED/Whitelisted external IP , would the process be more successful if they used THAT IP as source or not? eventually the packets have to return to THEM at their OTHER IP, so would reverse path work since it will see the spoof on the external interface , where its supposed to be?

  4. Harris Andrea says

    September 7, 2022 at 8:11 am

    Ray, if the spoofed source IP is an external public IP (that should come from the outside internet facing interface), then RPF will not kick-in.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

0 shares