Preventing Ip Spoofing - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 23 Preventing Network Attacks
You can enter this command all on one line (in any order), or you can enter each attribute as a separate
command. The security appliance combines the command into one line in the running configuration.
To set the timeout for connections, embryonic connections (half-opened), half-closed connections, and
Step 5
dead connection detection, enter the following command:
hostname(config-pmap-c)# set connection timeout {tcp <value> [reset]] [half-close <value>]
[embryonic <value>] [dcd [<retry-interval> [max-retries]]]}
where the half-close and tcp values are a time between 0:5:0 and 1192:59:59, in hh:mm:ss format. The
default for half-close is 0:10:0 and the default for tcp is 1:0:0. You can also set these values to 0, which
means the connection never times out.
The embryonic <value> is a time between 0:0:5 and 1192:59:59, in hh:mm:ss format. The default is
0:0:30. You can also set this value to 0, which means the connection never times out.
The dcd <retry-interval> is a time duration in <hh:mm:ss> format to wait between each unresponsive
DCD probe. The minimal value is 1 second, and the maximum value is 24 hours. The default value is 15
seconds.
The dcd <max-retries> is the number of consecutive failed retries before declaring the connection as
dead. The minimum value is 1 and the maximum value is 255, and the default is 5.
You can enter this command all on one line (in any order), or you can enter each attribute as a separate
command. The command is combined onto one line in the running configuration.
To activate the policy map on one or more interfaces, enter the following command:
Step 6
hostname(config)# service-policy policymap_name {global | interface interface_name}
where global applies the policy map to all interfaces, and interface applies the policy to one interface.
Only one global policy is allowed. You can override the global policy on an interface by applying a
service policy to that interface. You can only apply one policy map to each interface.

Preventing IP Spoofing

This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards
against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring
that all packets have a source IP address that matches the correct source interface according to the
routing table.
Normally, the security appliance only looks at the destination address when determining where to
forward the packet. Unicast RPF instructs the security appliance to also look at the source address; this
is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the security
appliance, the security appliance routing table must include a route back to the source address. See
RFC 2267 for more information.
For outside traffic, for example, the security appliance can use the default route to satisfy the
Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known
to the routing table, the security appliance uses the default route to correctly identify the outside
interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated
with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the
inside interface from an unknown source address, the security appliance drops the packet because the
matching route (the default route) indicates the outside interface.
OL-10088-01
Cisco Security Appliance Command Line Configuration Guide
Preventing IP Spoofing
23-5