Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
5
Helpful
1
Replies

Asynchronous routing needed - but Pix logs "connection spoof"

hardware
Level 1
Level 1

‎02-04-2003 02:13 AM - edited ‎02-20-2020 10:32 PM

Hi,

we have a PIX 515 - Version 6.1(2) - in use with one external und 2 internal

interfaces.

Because of our technical structure, there are connections from outside, which go trought one internal interface in but the answers go throught the other internal interface out.

The Pix drops such connections with "Deny tcp connection spoof from X.X.X.X to Y.Y.Y.Y". First, we thought that the setting "ip verify reverse-path interface outside" was responsible. This setting was left by mistake from our old configuration. So we turned it off "no ip verify reverse-path interface outside", saved and reloaded the pix.

But the Pix continues dropping such connections.

Are there other options that generate such log entries?

(I haven't found additionals infos in the manual)

Yours

Armin Hammer

0 Helpful
1 Reply 1

shannong
Level 4
Level 4

‎02-10-2003 05:50 PM

Is it really desired that the return traffic leave on a different interface? Or is this an indirect consequence of something else?

The pix just doesn't like asymetric routing of any kind. It's ASA doesn't know how to handle it.

Creative nat and Policy routing in front of or behind the Pix can take care of routing problems so that traffic comes and goes throught the "correct" interface.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card