ASA5510, ip verify reverse-path

Unanswered Question
Jan 12th, 2009
User Badges:

Per cisco documentation:

"IP Verify Reverse-Path


Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entity's local routing table. If an exiting packet does not arrive on the best return path back to the originator, then the packet is dropped and the activity is logged."


Does this mean that if the packet does not have a route in the ASA route table, either dynamic or static, it will be rejected?


For example, all remote branches use the main branch for Internet access, as long as the ASA knows the remote branch from it's own route table, then the return packets will be allowed back to the branch.


Is this correct?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

No - the below is taken from:- http://www.cisco.com/en/US/docs/security/pix/pix62/command/reference/gl.html#wp1053009


The ip verify reverse-path command is a security feature that does a route lookup based on the source address. Usually, the route lookup is based on the destination address. This is why it is called reverse path forwarding. With this command enabled, packets are dropped if there is no route found for the packet or the route found does not match the interface on which the packet arrived.


The ip verify reverse-path command lets you specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides Unicast Reverse Path Forwarding (Unicast RPF) functionality for the PIX Firewall.


The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.


Because of the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this risk when possible. Unicast RPF, or reverse route lookup, prevents such manipulation under certain circumstances.

wilson_1234_2 Mon, 01/12/2009 - 09:49
User Badges:

Ok,


So if I modify my statement to the below, it will be correct?:


Does this mean that if the packet does not have a route in the ASA route table, either dynamic or static,with a path back to the source on the interface it arrived, it will be rejected?

Actions

This Discussion