cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28020
Views
10
Helpful
6
Replies

Deny TCP reverse path check

bma
Level 1
Level 1

Hi I get following message from PIX ver 7.0:

PIX-1-106021: Deny TCP reverse path check from 192.168.0.150 to 192.168.0.250 on interface dmz

106021: Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.

but extraly, we have virtual ip with netscaler in the dmz, then do http://virtual ip address, from 192.168.0.150, phisical server ip is 192.168.0.250. How to fix or disable Unicast Reverse Path Forwarding? if disable, what is happend?

Thanks

ben

6 Replies 6

srue
Level 7
Level 7

look for the following command in your config:

ip verify reverse-path interface ....

Although, it'd be best to figure out what was causing the log message. Basically the message means the dmz interface received a packet with the source address matching a known inside network address.

Thanks

Because issue, people cannot access web server with virtual address.

What should be impacted if disable ip verify reverse-path?

ben

its intended as a security feature to prevent address spoofing.

should be no impact if you disable it.

sonybabu2k1
Level 1
Level 1

hi,

Try adding a static route to the source IP towards the interface through which it comes. so that a route is present for that IP.

Sony

Guys,

Need a serious help for this antispoofing issue :

Sep  6 14:19:42 vrd-swi-asa-01-pri %ASA-6-302013: Built inbound TCP  connection 25447904 for IP-PBX-WAN:10.98.2.12/49383 (10.98.2.12/49383)  to Mitel-Front:172.20.128.5/7011 (172.20.128.5/7011)

Sep  6 14:19:42 vrd-swi-asa-01-pri %ASA-6-302014: Teardown TCP  connection 25447903 for IP-PBX-WAN:10.98.2.12/49382 to  Mitel-Front:172.20.128.5/7011 duration 0:00:00 bytes 6845 TCP FINs

Sep  6 15:09:38 vrd-swi-asa-01-pri %ASA-1-106021: Deny TCP reverse path check from 10.98.2.12 to 172.40.0.1 on interface Corp-WAN

Sep  6 15:09:38 vrd-swi-asa-01-pri %ASA-1-106021: Deny TCP reverse path check from 10.98.2.12 to 172.40.0.1 on interface Corp-WAN

These are the logs of my WAN firewall..Problem here is traffic originating from 10.98.2.12 when hitting to 172.40.0.1 is getting denied, while hitting to any other destination is allowed.

I think "ip verify reverse path" check the source IP is coming from correct interface or not, here it is coming from IP-PBX-WAN for all other traffic but why not for 172.40.0.1 ?

Please suggest.

"Ip verify reverse path" checks two things:

1. is a route present for that specific source?

2. is the packet  comming on the right interface?

I would suggest to check the routing to exclude possible assymetic routing issues. If everything looks alright then it might be a real spoofing attack.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: