Cisco ASA-5505 denies reverse path check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2013 08:51 PM
Hi,
I aim trying to gain access to a file server on our network. Nobody is able to access it and only a reboot of the switch or restarting the filewall seems to cure it for a 5 minutes or so. The blocking seems to be trigerd by someone form the outside trying to get access.
It apperas from looking at our firewall logs (Cisco ASA-5505) that it is blocking access. I get his error in our logs:
1 | Aug 06 2013 | 10:25:12 | 192.168.100.209 | 192.168.200.2 | Deny UDP reverse path check from 192.168.100.209 to 192.168.200.2 on interface Guest |
And when I try Packet Tracer from a IP address in our network I get this:
How can I allow acces to the file server ?
Thanks fo your help,
Dan
- Labels:
-
Remote Access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2013 09:01 PM
Hi Daniel,
You may have 'ip verify reverse-path' enabled on the interface. Disable for now and see if that works. If thats the case, make sure, you have proper routing /permissions in place. Check below for details on the command..
http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/i3.html#wp1915749
hth
MS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2013 10:33 PM
Hi I tried the no ip verify reverse-path interface interface_name however access is still denied to the fileserver. I have checked the firewall for permissions and we have allowed access from the internal interface to the file share.
How should I proceed from here?
Thanks,
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2013 11:05 PM
Hi it seems that an ACL is dropping the packets from theis packet trace and using guest interface:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2013 02:04 AM
Hello,
Pls post ASA configs.
Thx
MS
PS: Pls rate helpful posts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2013 04:06 AM
Hi, Im a bit worried about posting my ASA configs. Is there a way to get help without having to do that.
Sorry to be a pain.
Thanks,
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2013 02:05 AM
have you checked your nat config. What syslog shows?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2013 04:08 AM
I will check that tmr at work.
Thanks for the help.
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2013 12:01 AM
We had to take it out of the VLAN it was in and put it on the same network to make it accessibale. Routing or the Firewall was the problem.
We have a quick fix for the time being.
Thanks guys for your help.
Dan
