New Year greetings to all reading this!!

I thought of sharing something interesting with everyone. This is a feature I have explained to many of our customers and thought of sharing it here on our support forum.

Traffic to any device can be classified in two ways; traffic through-the-box & to-the-box. On ASA firewall running on software version 8.0 (or higher) and PIX running software 6.3 we have a feature about traffic ‘to-the-box’ which I would like to share here.

Consider the setup below with sample config from ASA 8.x software:

:

ASA Version 8.x 

!

:

route Outside-Primary 0.0.0.0 0.0.0.0 Y.Y.Y.254 2

route Outside-Backup 0.0.0.0 0.0.0.0 X.X.X.254 5

:

If we try to access the ASA device from outside, we can access the device using both the interfaces; Outside-Primary & Outside-Backup via ssh, http, etc. This is a feature available on ASA 8.0 (or higher) or PIX 6.3 i.e. if we have two default routes configured on different interfaces that have different metrics, connections to the ASA firewall from both the higher & the lower metric routes will succeed. In ASA 7.0, the connection to the ASA firewall that is made from the higher metric interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected.

          By default this feature is available and we can disable this feature by enabling Reverse Path Verification. Adding the following command will disable this:

ip verify reverse-path interface Outside-Primary

ip verify reverse-path interface Outside-Backup

Above mentioned commands enable the feature to check the return path of the packet based on the global routing table. ‘ip reverse path verify’ command uses the global routing table and not the interface routing table while making routing decisions. It checks if the source can be reached out using the same interface with the current active route [one with lower metric].

Hope you find this useful.

Regards,
Chirag