cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2988
Views
0
Helpful
7
Replies

cisco asa Deny TCP reverse path check from

mmercaldieze
Level 1
Level 1

on my cisco asa 5520 we are getting the following message:

 Deny TCP reverse path check from ip_address_from_external_vendor to dmz_ip_address on interface inside

The dmz ip address is definitely on the dmz interface

the ip address from the external vendor is only listed as only as part of a network object group

That network object group is only part of an ACL that is applified on the inside part of the outisde interface

Any reason why I would bet getting this error message if this address should not even be touching the inside interface?

7 Replies 7

alessandro.s
Level 1
Level 1

Hi,

this indicates that you have unicast revers path forwarding on inside interface inside (via the  ip verify reverse-path interface inside command) , the traffic from 'ip_address_from_external_vendor' is trying to reach 'dmz_ip_address' passing through inside interface and you don't have a proper route configured to reach 'ip_address_from_external_vendor'  via the same  interface.

My advice is not to disable unicast RPF as is a good practice but to check the routing between 'ip_address_from_external_vendor'  and 'dmz_ip_address' .

Hope this helps.

Regards,

Alessandro

well I did try to do the following route:

external vendor ip: 1.1.1.1

dmz ip: 2.2.2.2

route 1.1.1.1 255.255.255.255 2.2.2.2 and that did not work, other than that I am not seeing 1.1.1.1 in the routing table

The route you inserted is not correct, the correct form is :

route [interface] [destination_address] [destination_mask] [gateway]

so, in your case, it would be :

route inside 1.1.1.1 255.255.255.255 [gateway]

where [gateway] is the ip address through which you reach 1.1.1.1 

the ip address of [gateway] must be on the same subnet of ASA's  inside interface address

sorry I meant route dmz 1.1.1.1 255.255.255.255 2.2.2.2

the gateway is the asa itself, lets say the inside ip is 3.3.3.3

so, i need to know something about your environment.

Which is the default gateway for external vendor ip? is the ASA itself or another router/L3 switch?

if  possible, talk about real addresses so i can better understand your environment.

Regards,

Alessandro

 

I am not sure if I understand the question, what do you mean default gateway for the external vendor, they are coming into the firewall from a wan address located in a different state.

  • So the external vendor address is a public ip address? And the external vendor is not able to reach the service in dmz? Can you post your asa config?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: