cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19218
Views
8
Helpful
2
Replies

ip verify reverse-path interface inside and outside???

viper1284
Level 1
Level 1

I'm currently trying to troubleshoot an issue I have with my ASA5505 for my home office network. Do you guys recommend having "ip verify reverse-path interface" enable on both inside and outside? The issue I'm trying to troubleshoot is located at the link below. Let me know what you guys think.

Thanks!

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbea637

2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

Leo,theip verify reverse-path interface is disable by default,I personally recommend to have this feature enable I have this enable in all of our PIX515s interfaces and would do it on ASA5500's but the reason for if to provide more security even from within on medium/large internal networks.

This is one what this command does, and I quote from link bellow !

Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1729583

On your other thread, have you check cisco bug tools for your code, try creating a time line when this issue began, and what was done on the firewall or your ISP provider, if this happens every 30 days it seems to me it could be your cable modem, when you loose connectivity have you tried rebooting the cable modem and see if asa re-stablish connectivity.. systematically troubleshoot the problem and norrow it down, for example, if you have a spare switch or mini hub connect cable modem to hub and ASA outside interface to hub when you loose connectivity disconnect ASA outside interface from hub and use a labtop configured with asa outside interface IP and DNS IP and see if you can get out, this has to be done when the connection is disrubted. If you suspect is the ip verify reverse-path interface then disable it when connection is disrubted and see if asa resumes connectivity, reenable it again when done.. this way you could start eliminating suspected points of failures.

Pls rate any helpful posts!

HTH

Jorge

Jorge Rodriguez

Could this be related to hardware? Meaning a hardware issue with the ASA? I somehow think not, but what to know what someone else has to say.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: