Solved: Re: ASA firewall route-lookup step - does it validate source interface and IP?

Martin Jelinek · ‎11-25-2019

Dear all,

It might be very easy, but I'm just wondering if Cisco ASA firewall (running 9.8 release for completeness) is somehow doing also route-lookup for source interface and IP address of the packet? I know it is done for destination IP address, but had an impression same is performed for the source (kind of traffic validity check).

Therefore will ASA firewall permit traffic (of course ACL is in place) on the interface from where is comming a traffic with source IP address which doesn't belong there (shouldn't appear there) as per routing table? Route table consists static routes (nothing dynamic).

As I can see in the logs permitted traffic but what is confusing to me is fact that log entry shows: - please note that source IP 10.10.10.1 belongs to SegmentA as per routing.

Log example:

x.x.x.x %ASA-6-106100 Nov 24 07:51:05 access-list segmentB_access_in permitted udp SegmentB/10.10.10.1(67) -> SegmentA/10.10.10.20(67) hit-cnt 1 first hit [0xad85a144, 0x00000000]

From syslog number here is definition:

%ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port)(idfw_user, sg_info) interface_name/dest_address(dest_port) (idfw_user, sg_info) hit-cnt number ({first hit | number-second interval})

Thanks

Karsten Iwen · ‎11-25-2019

It is not on by default, but you can enable the feature URPF (unicast reverse path forwarding) which implements the checks on the source (here an example from my ASA):

he1-asa1# sh run ip verify reverse-path
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface proxy
ip verify reverse-path interface mail
ip verify reverse-path interface web
ip verify reverse-path interface dns

I would consider it a best practice to have it enabled on all interfaces where no asymmetric traffic is possible. Just don't enable it on the outside if you have more than one outside interface.

View solution in original post

Karsten Iwen · ‎11-25-2019

It is not on by default, but you can enable the feature URPF (unicast reverse path forwarding) which implements the checks on the source (here an example from my ASA):

he1-asa1# sh run ip verify reverse-path
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface proxy
ip verify reverse-path interface mail
ip verify reverse-path interface web
ip verify reverse-path interface dns

I would consider it a best practice to have it enabled on all interfaces where no asymmetric traffic is possible. Just don't enable it on the outside if you have more than one outside interface.

GRP CCO HC · ‎11-28-2019

Make sense.

Martin Jelinek · ‎11-28-2019

Thanks Karsten, it seems as good explanation and mostlikely the fact I've been looking for.

Was wondering if this was in past enabled by default.

Nevertheless basically ASA doesn't check this by default even tough it make sense to be enabled we can't otherwise our new DHCP concept introduced in ACI would be broken then ^_^, lovely.

Thanks!

Martin

Karsten Iwen · ‎11-28-2019

At least I am not aware of any version where it was enabled by default ...