Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6529
Views
0
Helpful
8
Replies

Cisco ASA-5505 denies reverse path check

Daniel Baker
Level 1
Level 1

‎08-05-2013 08:51 PM

Hi,

I aim trying to gain access to a file server on our network. Nobody is able to access it and only a reboot of the switch or restarting the filewall seems to cure it for a 5 minutes or so.  The blocking seems to be trigerd by someone form the outside trying to get access.

It apperas from looking at our firewall logs (Cisco ASA-5505) that it is  blocking access. I get his error in our logs:

1Aug 06 201310:25:12
192.168.100.209
192.168.200.2

Deny UDP reverse path check from 192.168.100.209 to 192.168.200.2 on interface Guest

And when I try Packet Tracer from a IP address in our network I get this:

blocked to file server.png

How can I allow acces to the file server ?

Thanks fo your help,

Dan

Labels:
0 Helpful
8 Replies 8

mvsheik123
Level 7
Level 7

‎08-05-2013 09:01 PM

Hi Daniel,

You may have 'ip verify reverse-path' enabled on the interface. Disable for now and see if that works. If thats the case, make sure, you have proper routing /permissions in place. Check below for details on the command..

http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/i3.html#wp1915749

hth

MS

0 Helpful

Daniel Baker
Level 1
Level 1
In response to mvsheik123

‎08-05-2013 10:33 PM

Hi I tried the  no ip verify reverse-path interface interface_name   however access is still denied to the fileserver. I have checked the firewall for permissions and we have allowed access from  the internal interface  to the file share.

How should I proceed from here?

Thanks,

Dan

0 Helpful

Daniel Baker
Level 1
Level 1
In response to mvsheik123

‎08-05-2013 11:05 PM

Hi it seems that an ACL is dropping the packets from theis packet trace and using guest interface:

0 Helpful

mvsheik123
Level 7
Level 7
In response to Daniel Baker

‎08-06-2013 02:04 AM

Hello,

Pls post ASA configs.

Thx

MS

PS: Pls rate helpful posts.

0 Helpful

Daniel Baker
Level 1
Level 1
In response to mvsheik123

‎08-06-2013 04:06 AM

Hi, Im a bit worried about posting my ASA configs. Is there a way to get help without having to do that.

Sorry to be a pain.

Thanks,

Dan

0 Helpful

Vusal Aliyev
Level 1
Level 1
In response to Daniel Baker

‎08-06-2013 02:05 AM

have you checked your nat config. What syslog shows?

CCNP, CCNA Security
0 Helpful

Daniel Baker
Level 1
Level 1
In response to Vusal Aliyev

‎08-06-2013 04:08 AM

I will check that tmr at work.

Thanks for the help.

Dan

0 Helpful

Daniel Baker
Level 1
Level 1
In response to Vusal Aliyev

‎08-07-2013 12:01 AM

We had to take it out of the VLAN it was in and put it on the same network to make it accessibale. Routing or the  Firewall was the problem.

We have a quick fix for the time being.

Thanks guys for your help.

Dan

0 Helpful
Top