Reverse Path Check

central_bank · ‎10-15-2012

Hi,

I am getting following maessage on my ASA %ASA-1-106021: Deny UDP reverse path check from 192.168.1.220 to 10.192.0.249 on interface inside.

192.168.1.220 is not there in my network and I have enabled the RPF on ASA so it is obious that it is getting blocked..

My challenge is to find out the actual souce device for 192.168.1.220 and to block these logs from reflecting. I tried following but could not succeed,

1) Applied ACL on interface interface in line 1 denying all traffic from 192.168.1.220 to 10.192.0.249 (Outside), but still RPF message continues with no hits on this ACL. I am wondering if ACL comes first or RPF

2) Connected sniffer in the vlan of Inside interface but could not get any logs for these two IPs.

Julio Carvajal · ‎10-15-2012

Hello Shivaji,

1) Yes, the route-lookup goes first than the ACL.

What is on the internal network, what other device?

Any other question..Sure..Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

central_bank · ‎10-16-2012

But how do I find out the actual source. 192.168.x.x is not used in my network.

I tried using Sniffer but that did not show up anything with this IP address.

Shivaji

Julio Carvajal · ‎10-16-2012

Hello Shivaji,

I know what you mean but if the ASA reports it. that means it is happening.

Someone is using that Ip on your internal network.....

Can you provide me the captures you applied on your ASA?

Any other question..Sure..Just remember to rate all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC