02-28-2017 09:00 AM - edited 03-12-2019 01:59 AM
Hi
getting a deny on a packet going external to my dmz.
we have recently added "ip reverse path verify " on the dmz and outside interfaces of the asa - but on no other interfaces.
I dont want to remove this command for anti-spoofing .
The error we have is:
deny tcp reverse path check from 60.x.x.x to 10.129.1.177 on interface inside
the 60 address is the internet , the 10.129.1.177 is on the dmz. ( so not sure why its even going near the inside interface )
I understand these issues are usually routing table errors ?
relevant routing table edited is :
0.0.0.0 0.0.0.0 via 7.7.7.7 outside
10.0.0.0 255.0.0.0 via x.x.x.x inside
10.129.1.128 255.255.255.128 is directly connected in DMZ
is it the generic 10.x.x.x 255.0.0.0 on the inside interface causing this ? I cannot add a more specific route as the route is directly connected .
any advice given would be great !
thank you
Solved! Go to Solution.
02-28-2017 06:00 PM
Make sure the associated NAT rule is specific (i.e. no "any" interface keyword) and that a packet-tracer shows you are hitting that particular rule.
You may also need to append "route-lookup" to the rule to eliminate any confusion on the ASA's part.
02-28-2017 06:00 PM
Make sure the associated NAT rule is specific (i.e. no "any" interface keyword) and that a packet-tracer shows you are hitting that particular rule.
You may also need to append "route-lookup" to the rule to eliminate any confusion on the ASA's part.
03-01-2017 03:23 AM
Hi
ive worked it out thanks for the help . ......... the nat rule was outside to inside but the device we were going to was on a dmz interface so i changed the nat to outside to dmz ... ....
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide