topic Re:Deny TCP/ICMP Reverse Path Check on interface inside in Network Security

Deny TCP/ICMP Reverse Path Check on interface inside

Anup Sasikumar — Tue, 12 Mar 2019 00:33:22 GMT

Hi all,

I was trying to take access of a Switch at the remote site from outside using interface VLAN 10 IP Y.Y.Y.Y

The public IP at my location is X.X.X.X

I could see logs on PIX on remote site mentioning that

Deny TCP/ICMP Reverse Path Check from X.X.X.X to Y.Y.Y.Y on interface inside

Deny TCP/ICMP Reverse Path Check from Y.Y.Y.Y to X.X.X.X on interface inside

and I am not able to get connected.

Upon searching the configuration , it was found that reverse path verifcation is enabled on both outside and inside

Also it was noted from the ARP table that ARP entry exists for Y.Y.Y.Y and is learned on the outside interface of PIX.

The issue started happening when IP routing was enabled on SW2.

Being a Web Server /DB Server environment , Is it safe to disable Reverse path verification on inside interface ?

Or should I be checking in detail the routes configured on PIX ?

Thanks,

Anup

Deny TCP/ICMP Reverse Path Check on interface inside

andrew.prince — Thu, 06 Dec 2012 12:07:09 GMT

reverse path checking explains itself, if the ASA recevies a packet on and interface and the ASA's routing table has that subnet/route on another interface - reverse path checking will drop it.

Check all of your routing.

Deny TCP/ICMP Reverse Path Check on interface inside

reachabdulla — Thu, 06 Dec 2012 13:02:35 GMT

Hi Anup.

I would suggest the following:

-Do not disable Reverse path verification.

-Disable 'ip routing' on switch SW2 by using 'no ip routing' command. (I presume SW1 has its routing diabled).

-Configure the following on SW2:

interface vlan 10

ip add Y.Y.Y.Y m.m.m.m.m (where Y.Y.Y.Y is as the same subnet as 1.1.1.1, and m.m.m.m is the mask)

no shut

ip default-gateway 1.1.1.1

Now you should be able to connect.

Deny TCP/ICMP Reverse Path Check on interface inside

julomban — Thu, 06 Dec 2012 13:07:08 GMT

Anup,

You can disable the reverse path command from the interface if you know is trsuted but at the end it is better to fix your routing problem to avoid problems in the future.

Regards,

Juan Lombana

Please rate helpful posts.

Re:Deny TCP/ICMP Reverse Path Check on interface inside

Anup Sasikumar — Tue, 11 Dec 2012 13:49:13 GMT

I have lost access to the switch using VLAN IP from outside after enabling IP routing . Can it be because of the Reverse path check is denying the traffic? I tried disabling the ip routing ,but still I am unable to restore connectivity to the swutch from outside. Would reconfiguring the interface VLAN IP work ?

Sent from Cisco Technical Support Android App

Deny TCP/ICMP Reverse Path Check on interface inside

Peter Koltl — Tue, 11 Dec 2012 21:36:34 GMT

If you want it to remain secure, don't add an external IP to the switches. They should have an internal IP and be accessed via firewall NAT.

Re:Deny TCP/ICMP Reverse Path Check on interface inside

Anup Sasikumar — Wed, 12 Dec 2012 11:48:27 GMT

Hi,

Can it be that after enabling IP routing , the default -gateway configurations are not relavant anymore , that I lost access from outside ? But even after disabling IP routing I am not able to restore access 😞

Thanks,

Anup