topic rpf check in Network Security

rpf check

Anukalp S — Tue, 12 Mar 2019 03:13:11 GMT

Hello,

Is there any other workaround to reach a ip which is of ip pool configured on outside interface without disabling ip verify reverse path check. I have a ASA runing ver 8.4. & interfaces configured as below..

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.86.2 255.255.255.192

interface Ethernet0/1

nameif standby

security-level 0

ip address x.x.218.134 255.255.255.192

route outside 0.0.0.0 0.0.0.0 x.x.86.1 1

route standby 0.0.0.0 0.0.0.0 x.x.218.133 20

I have two internet circuit from two different ISP. I am facing problem if i try to reach ip x.x.86.21 with source x.x.218.142 then it gets unreachable. May be because of rpf check enable. I dont want to disable rpf. So is there any other way to reach out this specific ip from this specific source addess.

Pls help.

rpf check

Jouni Forss — Thu, 05 Dec 2013 08:50:10 GMT

Hi,

Seems to me that the traffic would never even flow that way.

If the packet arrived on the ASA it would see that the destination hsot x.x.86.21 is directly connected network. And since you probably have some Static NAT or Static PAT for that public IP address x.x.86.21 configured on the ASA from some LAN interface to WAN interface then the connection would fail.

Even in a normal single ISP setup you wont be able to connect to your public NAT IP address directly from the LAN unless your configure a NAT that actually translates the local server from the local IP address to the public IP address towards the LAN. In this case you will also have to configure NAT for the source address translation.

So t would seem to me that you probably have to configure a special NAT for your users to be able to connect to the public NAT IP address from behind the ASA. Users on the external network should not have problems reaching hosts using either of the public IP address ranges.

- Jouni

rpf check

Anukalp S — Thu, 05 Dec 2013 09:24:24 GMT

Hi Jouni..

How could this specail NAT could be configured. A config example would make more clear to me.

Actually ip x.x.218.142 is of wifi router and ip x.x.86.21 is configured as static NAT with a DMZ server. So when any one connect over wifi and try to reach this nat server ip x.x.86.21 then it gets fail. I have two different internet router ahead to ASA for both ISP links.

Any given workaround to reach this server ip would highly appreciated. Can't do any thing to reach this specfic server from wifi.

rpf check

Jouni Forss — Thu, 05 Dec 2013 09:57:50 GMT

Hi,

I would have to see the ASA configurations.

I dont have any idea of the actual source interfaces and networks in this situation which are essential.

Actually in this situation you might be fine configuring a Static NAT for the DMZ server towards the interface where the Wifi Router is located.

But again I can't tell the whole setup from the above.

- Jouni

rpf check

Anukalp S — Thu, 05 Dec 2013 18:21:31 GMT

Hi..

WiFi router is connected to a ISP router and configured with a ip x.x.218.142 of ip pool which is configured as standby in ASA. Also attaching diagram.

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.86.2 255.255.255.192

interface Ethernet0/1

nameif standby

security-level 0

ip address x.x.218.134 255.255.255.192

interface Ethernet0/1

nameif DMZ

security-level 30

ip address 10.111.114.1 255.255.255.0

object network obj-10.111.114.25

nat (DMZ,outside) static x.x.86.21

route outside 0.0.0.0 0.0.0.0 x.x.86.1 1

route standby 0.0.0.0 0.0.0.0 x.x.218.133 20

Re: rpf check

Jouni Forss — Thu, 05 Dec 2013 19:17:20 GMT

Ok,

Now I see the problem.

I guess the problems comes from the fact that the ASA has both of these networks as connected and the Wifi device is outside the ASA and when the Wifi user tries to form the connection the connection comes to the Wifi ISP Router and routes back through the other ISP connection and arrives at the ASA at which point the ASA blocks the connection as it sees connection attempt arrive on one ISP interface and the source IP address belong to the other ISP link. So its not expecting that traffic from there.

Just wondering what the options would be.

I guess one option would be to move the Wifi Router to the other public IP address range. To the same public IP address range where the destination server is. I imagine the public IP address used on the Wifi isnt that important so this change would probably be the easiest? Might mean modifying some access rules on the ASA if there were many connections allowed from there. Or is there servers again on the original link which Wifi users would need to access and we would run into the same problem again?

One solution might be moving the Wifi Router behind the ASA and NATing it to the public IP address of your choice.The required servers to which the Wifi users would need to connect to could be NATed with their public NAT IP addresses towards the Wifi Routers new link/interface on the ASA which should enable Wifi users connectivity to the servers without problems.

Naturally the above setup (Wifi behind the ASA) would require you to either dedicate a link on the ASA to the WAN link of the Wifi Router OR you could connect the Wifi Router WAN to some internal switch with a new Vlan ID and bring that Vlan ID to the ASA with Trunk. I am not sure if you have any existing Trunk interface to the ASA.

- Jouni

rpf check

Anukalp S — Thu, 05 Dec 2013 19:37:37 GMT

Thanks Jouni.. Yes that is same problem occuring what you stated & suspected above. But server ip pool has fully occupied and i cant move server over other ISP pool as it has public DNS entry. Also i cant move wifi over same ip pool to which server is natted due to ip pool exausted.

As you said we could move wifi behind ASA and do NAT/PAT. I dont have trunk interface configured. But i have management port free which i could use to connect wifi. I guess wifi over mgmt port would definitely work. What you have to say Jouni.

Apart of these could there be not any other solutions?? See if we could do some thing on Internet router.

rpf check

Jouni Forss — Fri, 06 Dec 2013 12:06:11 GMT

Hi,

I guess the Management interface could do on the ASA model you are using. I presume by your interface types that you are using ASA5510 perhaps.

You just have to remove the "management-only" configuration from the Management interface for it to be able to pass data traffic.

I would personally probably do it so that I would move the Wifi Router behind the ASA. It would seem like the simplest solution without having to tamper with rest of the network.

- Jouni

rpf check

Anukalp S — Sat, 07 Dec 2013 15:29:34 GMT

Thanks for Help...Jouni