Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
5
Helpful
2
Replies

management traffic blocked cause of reverse-path check

jvreemann
Level 1
Level 1

‎02-08-2010 02:36 AM - edited ‎03-11-2019 10:06 AM

Hi all,

i have a problem with "ip verify reverse-path interface inside".

We have a very restricted admin-network, where we have the admin-interfaces of several servers, firewalls and other networkstuff. The perimeter firewall to the outside (asa5580 8.2) has also the management-interface (management-only) in this admin-network. When we than have sometimes traffic from these admin-network via another firewalll through the perimeter firewall, the traffic is blocked cause of reverse-path check.

The perimeter firewall has an interface in the admin-network and is getting those traffic on the inside interface. This traffic is blocked althrough the management-interface is management-only. Of cause i could make the perimeter firewall the admin-network firewall, but i don't like that, because our admin-network is special secured and a separate physikal infrastructure.

Is there a possibility to selectivly disable the reverse check for the admin-network or to ignore the hole managment-interface for all the routing stuff?

                  DMZ

                   |

                   |

Internet ------ Firewall ------------- inside

                   T                      |

                   |        switches|otherfirewalls|server

                   |           T          T           T

                   +-----Adminnetwork-----+-----------+

tnx Joerg Vreemann

Labels:
0 Helpful
2 Replies 2

francisco_1
Level 7
Level 7

‎02-08-2010 03:57 AM

Joerg ,

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface.

You can disable RPF on specfic interface if you like. Also you can route all management traffic via the management interface on the ASA if you like.

jvreemann
Level 1
Level 1
In response to francisco_1

‎02-08-2010 04:22 AM

Hi francisco_1,

i my case hits traffic from the admin-network the inside interface and is dropped, because the firewall expects these traffic on the management-interface.

I don't want to disable RPF on the inside interface, because i would loose a important security feature.

I also don't want to make the perimeter-firewall the default gateway for these admin-network, because the admin-network is in a highly secured zone behind two other firewalls.

greetings Joerg

/msgrate.jspa?message=3015064&rating=correct

/msgrate.jspa?message=3015064&rating=correct

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card