Cisco ASA Unicast Reverse Path Forwarding Verification Was Disabled

If you have had a firewall audit, and your report states that ‘Unicast Reverse Path Forwarding Verification Was Disabled’ on your Cisco ASA then read on.

“Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. ” Cisco – https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html#1

Within the Cisco ASDM, Unicast Reverse Path Forwarding Verification is referred to as Anti-Spoofing / IP Spoofing.

Unicast RPF can be configured on the ASA Security Appliance on a per-interface basis, in ASDM:

Or with the following command:

ip verify reverse-path interface interface_name

Enjoy.

(Visited 5,149 times, 1 visits today)
Facebooktwittergoogle_plusredditpinterestlinkedinmail