Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
0
Helpful
8
Replies

ip verify reverse-path

bfl1
Level 1
Level 1

‎05-01-2004 02:11 PM - edited ‎03-09-2019 07:15 AM

Has anyone here experienced any problems after implementing this on their firewall(s)?

Labels:
0 Helpful
8 Replies 8

jmia
Level 7
Level 7

‎05-02-2004 03:17 AM

Hello John,

I have used the anti-spoofing command 'ip verify reverse-path ' on many customer sites without any problems, one thing you need to makesure to have on your config is the default route statement for ip verify to work correctly. Have a read of the following: (Pix IOS 6.3) -

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1053009

Hope this helps and let me know how you get on.

Jay.

0 Helpful

bfl1
Level 1
Level 1
In response to jmia

‎05-02-2004 07:26 AM

Thank you for your reply... I too have used it on many firewalls without any problems, but am about to make it a policy for a large organization that has firewalls throughout the country and want to research any known problems before I do so.

thanks

0 Helpful

haroldworkman
Level 1
Level 1
In response to bfl1

‎08-05-2004 03:36 PM

Just a question to add to this Post. I am trying to impliment this command while using DHCP as my outside interface. I dont have any default routes as Im getting them from BOOTP. Problem is BootP packets are being discarded upon bootup of firewall. Only option is to delete the command, then add it once my firewall gets an ip address and default route. Is this normal?

0 Helpful

mostiguy
Level 6
Level 6
In response to haroldworkman

‎08-06-2004 05:10 AM

I experienced the same behaviour with 6.3.2. I have not tried it since.

Matt

0 Helpful

scoclayton
Level 7
Level 7
In response to mostiguy

‎08-06-2004 05:58 AM

Hey guys,

We discovered this problem to sometime back and added an exception to the ip verify revers-path to allow DHCP packets in to the PIX before a default route was added into the route table. The bug ID is CSCeb19607 - DHCP client fails with ip verify reverse-path enabled and it has been verified as fixed in 6.3(2), 6.2(3), and 6.1(5) (and later releases of each of the trains above). For the person who just reported the issue, can you verify that you are running a resolved version of code (preferably 6.3(4) if you can)? And Matt, any chance you want to re-test? I just tested 6.3(4) in my lab and it worked.

Thanks,

Scott

0 Helpful

haroldworkman
Level 1
Level 1
In response to scoclayton

‎08-06-2004 06:19 AM

Scott. thanks for the update. I dont see that bug ID. Is it a Cisco Confidential Bug?

I was running 6.3(3). I can send you a show version if youd like.

0 Helpful

scoclayton
Level 7
Level 7
In response to haroldworkman

‎08-06-2004 06:26 AM

Dang...yep, it's an internal only bug as we founf it before FCS of the PIX code. If this is a problem in the field, we need to change this ASAP so people can see it. I would go ahead and open a TAC case on this issue. Make sure you let the TAC engineer know about the bug ID - CSCeb19607 just to save some time. This should be fixed so I would guess there may be something else going on. Sorry for the problems.

Scott

0 Helpful

haroldworkman
Level 1
Level 1
In response to scoclayton

‎08-06-2004 07:42 AM

Thanks Ill go ahead and have a case opened. I am pretty certain its a problem with this command only because with the command enabled on debugging I see dhcp packets denied. Moment I turn it off I get an IP address.

0 Helpful
Customers Also Viewed These Support Documents