ASA – Unicast Reverse Path Forwarding ( uRPF )

One of the best feature build in ASA is protection against spoofing IP addresses called Unicast Reverse Path Forwarding. URPF compares source Ip address to routing table and if source IP address is seen on one interface but routing table says route for this ip is via different interface ASA drops the packet,e.g.

 

  • packet with source IP(spoofed) 10.10.10.100 reached “outside” interface
  • route for 10.10.10.100 is :

   route inside 10.10.10.0 255.255.255.0 10.10.10.2

 

INTERNET (outside) ASA (inside) LAN

 

Asa compared source IP of packet(10.10.10.100 on “outside” interface) with routing table and noticed that packet to network 10.10.10.0/24 should be sent via “inside” interface,not “outside” Due to that fact ASA drops packet as a spoofed packet.

 

uRPF is implemented for  the following protocol:

  • ICMP – every packet is checked
  • UDP – initial packet is checked and later packets are checked based on “state” sessions.     Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.
  • TCP – in the same way like for UDP

 

Configuration

In most scenarios we will enable uRPF on external interfaces however it can be also enabled  for Internal networks,

In typical situation packet enters outside interface and as a reverse route “default route” is used.

If packet has sourced IP from Lan network it should be dropped because ASA knows this source IP should enter asa on inside interface, or any other but not external.As mentioned before “routing table is used for comparision.

(config)# ip verify reverse-path interface outside

Enabling uRPF for “outside” interface

 

Similar situation is with uRPF on internal interface. When traffic enters internal interface and there is no route for source IP packet is dropped.

(config)# ip verify reverse-path interface inside

Enabling uRPF for “inside” interface

 

STATISTICS

 

 # show ip verify statistics

interface outside: 0 unicast rpf drops
interface inside: 0 unicast rpf drops

 

# show ip verify statistics interface inside
interface inside: 0 unicast rpf drops

 

# show ip verify statistics interface outside
interface outside: 0 unicast rpf drops

 

dzbanek 2013-03-14