https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863189#M1102040 <P>i know about reason. just wanted to know if there is a way for asa urpf to be aware of pbr and see this as legitimate setup</P><P>&nbsp;</P> Tue, 27 Jun 2023 13:13:56 GMT DraganSkundric87318 2023-06-27T13:13:56Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863118#M1102035 <P>imagine basic asa setup with two outside interfaces, two providers, and one inside interface. I have route map that route traffic from one inside ip to provider 2 and default route to provider 1. If I implement reverse path check, asa uses routing table as reference point and I have problem with traffic from provider 2. Is there a solution to this that is implementable on asa?</P><P>&nbsp;</P><P>br</P> Tue, 27 Jun 2023 11:14:39 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863118#M1102035 DraganSkundric87318 2023-06-27T11:14:39Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863162#M1102038 <P>You should not configure uRPF on ASA on those outside interfaces, because uRPF doesn't make any sense in this scenario. Both outside interfaces can be used to access any Internet IP address, hence traffic from any IP address can come back through both of the interfaces. In a certain sense this is equivalent to two default routes, so uRPF doesn't add any value here.</P><P>&nbsp;</P> Tue, 27 Jun 2023 12:31:04 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863162#M1102038 tvotna 2023-06-27T12:31:04Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863188#M1102039 <P>you have asymmetric routing that why uRPF is drop packet&nbsp;</P> Tue, 27 Jun 2023 13:12:27 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863188#M1102039 MHM Cisco World 2023-06-27T13:12:27Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863189#M1102040 <P>i know about reason. just wanted to know if there is a way for asa urpf to be aware of pbr and see this as legitimate setup</P><P>&nbsp;</P> Tue, 27 Jun 2023 13:13:56 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863189#M1102040 DraganSkundric87318 2023-06-27T13:13:56Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863193#M1102042 <P>if you use ECMP then I think this issue will solve&nbsp;</P> Tue, 27 Jun 2023 13:24:45 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863193#M1102042 MHM Cisco World 2023-06-27T13:24:45Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863228#M1102047 <P>Theoretically, PBR could mark flow to exempt returning packets from uRPF check, but this has never been implemented.</P><P>HTH</P><P>&nbsp;</P> Tue, 27 Jun 2023 14:01:43 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863228#M1102047 tvotna 2023-06-27T14:01:43Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863231#M1102048 <P>Can you check NAT' if the traffic not NATing correctly then this can lead to asymmetric.</P> Tue, 27 Jun 2023 14:03:45 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863231#M1102048 MHM Cisco World 2023-06-27T14:03:45Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863298#M1102059 <P>I don't believe there is a fix for that, however, if you want to send the traffic from a specific endpoint on the inside out of provider 2 why not to create a NAT rule for that specific endpoint and map it to the ASA interface connected to provider 2?</P> Tue, 27 Jun 2023 15:24:47 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863298#M1102059 Aref Alsouqi 2023-06-27T15:24:47Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863650#M1102070 <P>but urpf will still see return traffic from&nbsp; internet IPs on interface 2 while routing table has route for them on interface 1 and reverse deny this traffic ... I guess</P> Wed, 28 Jun 2023 06:01:45 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863650#M1102070 DraganSkundric87318 2023-06-28T06:01:45Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863734#M1102077 <P>I think he use FW behind Edge router and Edge router doing NATing, and I am with you NATing can solve issue here,&nbsp;<BR />instead of NATing only in edge router he can NATing to link between FW and Edge router and in Edge router he can NATing again from private to public.&nbsp;<BR />I ask him about NATing let see his answer&nbsp;</P> Wed, 28 Jun 2023 09:08:05 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863734#M1102077 MHM Cisco World 2023-06-28T09:08:05Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863739#M1102078 <P>No NATing is workaround that solve your issue'</P> <P>The edge router without NATing</P> <P>Have route to FW inside via two path and it select one that make urpf drop packet in FW&nbsp;</P> <P>If we NATing then edge router will send traffic to direct connect link and hence the FW recieve traffic in correct OUTside interface and urpf not drop traffic&nbsp;</P> Wed, 28 Jun 2023 09:46:22 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863739#M1102078 MHM Cisco World 2023-06-28T09:46:22Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863742#M1102079 <P>i have edge routers toward both providers where I am doing NAT. ok, there is work arround to connect both providers to same asa interface and do some chemistry there and move urpf/async path from asa</P> Wed, 28 Jun 2023 09:36:47 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863742#M1102079 DraganSkundric87318 2023-06-28T09:36:47Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863751#M1102082 <P>The issue not edge router with ISP</P> <P>The isse is FW and edge router'</P> <P>If we NATing in FW this make edge router forward traffic to correct direct connect link.</P> Wed, 28 Jun 2023 09:48:23 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863751#M1102082 MHM Cisco World 2023-06-28T09:48:23Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863759#M1102086 <P>Alternatively, you can just remove the uRPF from the firewalls and configure an access list on the edge routers interfaces that are facing the ISPs to deny the incoming RFC1918 ranges allowing everything else. That will drop any private IP addresses in inbound and it won't affect VPN as the VPN traffic would be encrypted when it passes through the edge routers.</P> Wed, 28 Jun 2023 09:57:04 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/4863759#M1102086 Aref Alsouqi 2023-06-28T09:57:04Z https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/5244820#M1118633 <P>Did you try traffic zones? I believe that is one of the purposes of traffic zones but I could be wrong.</P> Wed, 08 Jan 2025 16:01:42 GMT https://community.cisco.com/t5/network-security/asa-reverse-path-check-and-policy-routing/m-p/5244820#M1118633 ajwallace 2025-01-08T16:01:42Z