"ip verify reverse-path interface" on ASA

Unanswered Question
Sep 22nd, 2008
User Badges:


I have add the "ip verify reverse-path interface <interface name>" to all my interfaces on my ASA, the syslog alerts I'm getting now are:

Deny UDP reverse path check from to on interface DMZ2

Deny ICMP reverse path check from to on interface DMZ2

What exactly is happening to produce these messages since I turned on that command?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
guibarati Mon, 09/22/2008 - 06:19
User Badges:
  • Bronze, 100 points or more

This command makes the ASA to check the source of the packet comming in an interface. The firewall will see if it has a route for the source of the packed and if the route if through the interface where the packet came from.

That means, if the firewall have a route for on interface inside and a packet with source comes in interface DMZ the ASA will block it supposing it's spoofed.


This Discussion