Deny TCP reverse check message

Unanswered Question
Aug 13th, 2009
User Badges:

I've got an ASA with multiple interfaces on it. I've got an inside,outside, dmz1, dmz2,and dmz3. I have a static NAT for a server in the DMZ to a global inet address on the outside via:

static (dmz1,outside) 210.x.x.10 192.168.1.1

I have a server in dmz2 and also a server in dmz3, both are trying to FTP to the server in dmz1 using the "internet" address 210.x.x.x, NOT the actual dmz address. Logs show

"Deny TCP reverse path check from 210.x.x.1 (outside ip of firewall) to 210.x.x.10 on interface outside". The default route is via the outside inteface. the error seems to point to a routing issue, but I'm not sure. should these inside hosts in the other dmz's be able to talk to the ftp by using the public ip, rather than the actual ip?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Redmon Thu, 08/13/2009 - 17:55
User Badges:
  • Cisco Employee,

The syslog that you are seeing is related to the command 'ip verify reverse-path outside':


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1839270


This command, when applied to an interface, will confirm that the source address SHOULD be ingressing on that interface. A packet sourced from the outside IP address (presumably what every inside host was PATed to) would not be expected to enter into the outside interface.


It is not advised to use the public IP address to access a local resource. In some situations, this may cause bad xlates to be formed on the firewall.

Actions

This Discussion