Solved: Pix Migration - Tcp reverse path check

sgalloway · ‎12-10-2008

Hi,

I have just cutover from our existing Pix 525 Firewall ( 7.2 ) to a ASA 5520 ( 8.0 )Basically l migrated the complete configuration and modified the interfaces etc.

All connections from dmz and outside interfaces are working fine. But the inside interface is not working. No internet access. I checked the logs and l was getting alot of "deny tcp reverse-path check" . I am not exactly sure why but l removed the command of the asa - " no ip verify reverse-path interface inside" and the inside interface with all hosts started working and could browse internet. Previously l had this command on the PIX and all working fine. Could someone tell me what exactly is going on and if you need to see my configuration.

Thanks

didyap · ‎12-16-2008

Generaly this command is use to enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the noform of this command. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

ip verify reverse-path interface interface_name

no ip verify reverse-path interface interface_name

View solution in original post

didyap · ‎12-16-2008

Generaly this command is use to enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the noform of this command. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

ip verify reverse-path interface interface_name

no ip verify reverse-path interface interface_name