topic Re: UDP reverse path check in Network Security

UDP reverse path check

robert — Mon, 11 Mar 2019 23:20:10 GMT

Hi,

ASA running 8.2(5).

When I enable ip spoofing on my network interfaces I see this getting logged:

Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN

This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?

However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.

How do I solve this?

1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?

2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?

3. or ??

My routing table and interface list is:

Current available interface(s):

DATA-BACKUP Name of interface Redundant1.10

DMZ Name of interface Redundant1.900

GUEST Name of interface Redundant1.990

HOSTING Name of interface Redundant1.100

Infrastruktur Name of interface Redundant1.20

Intern Name of interface Management0/0

OUTSIDE-BACKUP Name of interface Redundant1.998

PHONE Name of interface Redundant1.200

SPECTRA-LAN Name of interface Redundant1.50

outside Name of interface Ethernet0/3

Gateway of last resort is 1.2.3.4 to network 0.0.0.0

C 172.31.0.0 255.255.255.0 is directly connected, DMZ

S 192.168.200.46 255.255.255.255 [1/0] via 1.2.3.4, outside

S 192.168.200.47 255.255.255.255 [1/0] via 1.2.3.4, outside

S VPN-hosting 255.255.255.0 [1/0] via 192.168.200.1, outside

C 93.167.197.80 255.255.255.240 is directly connected, outside

S 10.100.110.0 255.255.255.0 [1/0] via 10.100.110.1, outside

C 10.10.10.0 255.255.255.0 is directly connected, GUEST

C 10.100.100.0 255.255.255.0 is directly connected, Intern

S 10.100.101.0 255.255.255.0 [5/0] via 10.100.100.252, Intern

S 10.100.0.0 255.255.0.0 [10/0] via 10.100.100.252, Intern

C 10.200.100.0 255.255.252.0 is directly connected, PHONE

C 10.199.1.0 255.255.255.0 is directly connected, Infrastruktur

C 10.199.0.0 255.255.255.0 is directly connected, DATA-BACKUP

C 192.168.254.0 255.255.255.0 is directly connected, HOSTING

S* 0.0.0.0 0.0.0.0 [1/0] via 1.2.3.4, outside

S 192.168.0.0 255.255.0.0 [5/0] via 192.168.254.1, HOSTING

Regards

Robert

UDP reverse path check

Jennifer Halim — Sun, 17 Jun 2012 03:49:34 GMT

The reason why you are seeing that error message is because 10.100.100.102 is connected to the wrong subnet/VLAN. It should have been connected to the Intern subnet/VLAN, however, it has incorrectly assigned/conencted to SPECTRA-LAN subnet.

Just configure 10.100.100.102 host correctly by assigning it to the correct VLAN, and you won't have that error anymore.

You can't have 2 VLANs in the same subnet.

Re: UDP reverse path check

robert — Sun, 17 Jun 2012 08:23:53 GMT

As far as I can see it is not the case where I have 2 vlans in the same subnet.

Looking in ASDM I see:

Management0/0 interface = security level 100 = Intern = native vlan (ip address 10.100.100.1)

Redundant1.50 interface = security level 100 = SPECTRA-LAN = vlan50 (no ip address)

Subnet 10.100.100.0/24 must belong to vlan50.

Redundant1 is ethernet0/0 and ethernet0/1. Configuration allows communication between interfaces with same security level. All acl policies from subnet 10.100.100.0/24 is bound to interface and acl from allows all traffic to any less secure network.

I´m currently not sure how the fysical cabling is connected, but I´ll have to look as it seems traffic from subnet 10.100.100.0/24 can come in from both management0/0 and the redundant interfaces eth0/0 + eth0/1 ??

Does this make sence at all ?

Robert

Re: UDP reverse path check

Jennifer Halim — Sun, 17 Jun 2012 10:45:12 GMT

As per your above statement, 10.100.100.0/24 belongs to native vlan (Intern), not vlan50 (SPECTRA-LAN).

Eventhough SPECTRA-LAN is not configured with any ip address, the subnet 10.100.100.0/24 can't belong to this vlan50 as it already belong to Intern (native vlan) subnet.