"ip verify reverse-path interface" on ASA

Unanswered Question
Sep 22nd, 2008

Hi,

I have add the "ip verify reverse-path interface <interface name>" to all my interfaces on my ASA, the syslog alerts I'm getting now are:

Deny UDP reverse path check from 192.168.1.1 to 192.168.2.2 on interface DMZ2

Deny ICMP reverse path check from 192.168.1.1 to 192.168.2.2 on interface DMZ2

What exactly is happening to produce these messages since I turned on that command?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
guibarati Mon, 09/22/2008 - 06:19

This command makes the ASA to check the source of the packet comming in an interface. The firewall will see if it has a route for the source of the packed and if the route if through the interface where the packet came from.

That means, if the firewall have a route for 192.168.1.0/24 on interface inside and a packet with source 192.168.1.38 comes in interface DMZ the ASA will block it supposing it's spoofed.

Actions

This Discussion