Solved: reverse path verify deny

manuscript1 · ‎02-28-2017

Hi

getting a deny on a packet going external to my dmz.

we have recently added "ip reverse path verify " on the dmz and outside interfaces of the asa - but on no other interfaces.

I dont want to remove this command for anti-spoofing .

The error we have is:

deny tcp reverse path check from 60.x.x.x to 10.129.1.177 on interface inside

the 60 address is the internet , the 10.129.1.177 is on the dmz. ( so not sure why its even going near the inside interface )

I understand these issues are usually routing table errors ?

relevant routing table edited is :

0.0.0.0 0.0.0.0 via 7.7.7.7 outside

10.0.0.0 255.0.0.0 via x.x.x.x inside

10.129.1.128 255.255.255.128 is directly connected in DMZ

is it the generic 10.x.x.x 255.0.0.0 on the inside interface causing this ? I cannot add a more specific route as the route is directly connected .

any advice given would be great !

thank you

Marvin Rhoads · ‎02-28-2017

Make sure the associated NAT rule is specific (i.e. no "any" interface keyword) and that a packet-tracer shows you are hitting that particular rule.

You may also need to append "route-lookup" to the rule to eliminate any confusion on the ASA's part.

View solution in original post

Marvin Rhoads · ‎02-28-2017

Make sure the associated NAT rule is specific (i.e. no "any" interface keyword) and that a packet-tracer shows you are hitting that particular rule.

You may also need to append "route-lookup" to the rule to eliminate any confusion on the ASA's part.

manuscript1 · ‎03-01-2017

Hi

ive worked it out thanks for the help . ......... the nat rule was outside to inside but the device we were going to was on a dmz interface so i changed the nat to outside to dmz ... ....

Regards