https://community.cisco.com/t5/network-security/reverse-path-verify-deny/m-p/3070310#M146185 <P>Hi</P> <P></P> <P>ive worked it out thanks for the help .&nbsp; ......... the nat rule was outside to inside but the device we were going to was on a dmz interface so i changed the nat to outside to dmz ... ....</P> <P></P> <P>Regards</P> Wed, 01 Mar 2017 11:23:55 GMT manuscript1 2017-03-01T11:23:55Z https://community.cisco.com/t5/network-security/reverse-path-verify-deny/m-p/3070308#M146181 <P>Hi</P> <P></P> <P>getting a deny on a packet going external to my dmz.</P> <P></P> <P>we have recently added "ip reverse path verify " on the dmz and outside interfaces of the asa - but on no other interfaces.</P> <P>I dont want to remove this command for anti-spoofing .</P> <P></P> <P>The error we have is:</P> <P></P> <P>deny tcp reverse path check from 60.x.x.x to 10.129.1.177 on interface inside</P> <P></P> <P>the 60 address is the internet , the 10.129.1.177 is on the dmz. ( so not sure why its even going near the&nbsp; inside interface )</P> <P></P> <P>I understand these issues are usually routing table errors ?</P> <P></P> <P>relevant routing table edited is :</P> <P></P> <P>0.0.0.0 0.0.0.0 via 7.7.7.7 outside</P> <P>10.0.0.0 255.0.0.0 via x.x.x.x inside</P> <P>10.129.1.128&nbsp;&nbsp;&nbsp;&nbsp; 255.255.255.128&nbsp; is directly connected in DMZ</P> <P></P> <P>is it the generic 10.x.x.x 255.0.0.0 on the inside interface causing this ?&nbsp;&nbsp;&nbsp; I cannot add a more specific route as the route is directly connected .</P> <P>any advice given would be great !</P> <P></P> <P>thank you</P> <H1 style="margin-bottom: .0001pt; line-height: normal; text-autospace: none;"><SPAN style="font-size: 8.0pt; font-family: 'Segoe UI','sans-serif'; color: black;">&nbsp;</SPAN></H1> <P style="margin-bottom: .0001pt; line-height: normal; text-autospace: none;"><SPAN style="font-size: 8.0pt; font-family: 'Segoe UI','sans-serif'; color: black;"></SPAN></P> <P style="margin-bottom: .0001pt; line-height: normal; text-autospace: none;"><SPAN style="font-size: 8.0pt; font-family: 'Segoe UI','sans-serif'; color: black;"></SPAN></P> Tue, 12 Mar 2019 08:59:30 GMT https://community.cisco.com/t5/network-security/reverse-path-verify-deny/m-p/3070308#M146181 manuscript1 2019-03-12T08:59:30Z https://community.cisco.com/t5/network-security/reverse-path-verify-deny/m-p/3070309#M146183 <P>Make sure the associated NAT rule is specific (i.e. no "any" interface keyword) and that a packet-tracer shows you are hitting that particular rule.</P> <P>You may also need to append "route-lookup" to the rule to eliminate any confusion on the ASA's part.</P> Wed, 01 Mar 2017 02:00:06 GMT https://community.cisco.com/t5/network-security/reverse-path-verify-deny/m-p/3070309#M146183 Marvin Rhoads 2017-03-01T02:00:06Z https://community.cisco.com/t5/network-security/reverse-path-verify-deny/m-p/3070310#M146185 <P>Hi</P> <P></P> <P>ive worked it out thanks for the help .&nbsp; ......... the nat rule was outside to inside but the device we were going to was on a dmz interface so i changed the nat to outside to dmz ... ....</P> <P></P> <P>Regards</P> Wed, 01 Mar 2017 11:23:55 GMT https://community.cisco.com/t5/network-security/reverse-path-verify-deny/m-p/3070310#M146185 manuscript1 2017-03-01T11:23:55Z