Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2182
Views
5
Helpful
1
Replies

"ip verify reverse-path interface" on ASA

whiteford
Level 1
Level 1

‎09-22-2008 12:53 AM - edited ‎03-11-2019 06:47 AM

Hi,

I have add the "ip verify reverse-path interface <interface name>" to all my interfaces on my ASA, the syslog alerts I'm getting now are:

Deny UDP reverse path check from 192.168.1.1 to 192.168.2.2 on interface DMZ2

Deny ICMP reverse path check from 192.168.1.1 to 192.168.2.2 on interface DMZ2

What exactly is happening to produce these messages since I turned on that command?

Thanks

Labels:
0 Helpful
1 Reply 1

guibarati
Level 4
Level 4

‎09-22-2008 06:19 AM

This command makes the ASA to check the source of the packet comming in an interface. The firewall will see if it has a route for the source of the packed and if the route if through the interface where the packet came from.

That means, if the firewall have a route for 192.168.1.0/24 on interface inside and a packet with source 192.168.1.38 comes in interface DMZ the ASA will block it supposing it's spoofed.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card