11-05-2015 01:31 PM - edited 03-05-2019 02:41 AM
on my cisco asa 5520 we are getting the following message:
Deny TCP reverse path check from ip_address_from_external_vendor to dmz_ip_address on interface inside
The dmz ip address is definitely on the dmz interface
the ip address from the external vendor is only listed as only as part of a network object group
That network object group is only part of an ACL that is applified on the inside part of the outisde interface
Any reason why I would bet getting this error message if this address should not even be touching the inside interface?
11-08-2015 09:10 AM
Hi,
this indicates that you have unicast revers path forwarding on inside interface inside (via the ip verify reverse-path interface inside command) , the traffic from 'ip_address_from_external_vendor' is trying to reach 'dmz_ip_address' passing through inside interface and you don't have a proper route configured to reach 'ip_address_from_external_vendor' via the same interface.
My advice is not to disable unicast RPF as is a good practice but to check the routing between 'ip_address_from_external_vendor' and 'dmz_ip_address' .
Hope this helps.
Regards,
Alessandro
11-09-2015 08:55 AM
well I did try to do the following route:
external vendor ip: 1.1.1.1
dmz ip: 2.2.2.2
route 1.1.1.1 255.255.255.255 2.2.2.2 and that did not work, other than that I am not seeing 1.1.1.1 in the routing table
11-09-2015 09:09 AM
The route you inserted is not correct, the correct form is :
route [interface] [destination_address] [destination_mask] [gateway]
so, in your case, it would be :
route inside 1.1.1.1 255.255.255.255 [gateway]
where [gateway] is the ip address through which you reach 1.1.1.1
the ip address of [gateway] must be on the same subnet of ASA's inside interface address
11-09-2015 09:11 AM
sorry I meant route dmz 1.1.1.1 255.255.255.255 2.2.2.2
the gateway is the asa itself, lets say the inside ip is 3.3.3.3
11-09-2015 09:20 AM
so, i need to know something about your environment.
Which is the default gateway for external vendor ip? is the ASA itself or another router/L3 switch?
if possible, talk about real addresses so i can better understand your environment.
Regards,
Alessandro
11-09-2015 10:36 AM
I am not sure if I understand the question, what do you mean default gateway for the external vendor, they are coming into the firewall from a wan address located in a different state.
11-09-2015 12:08 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: