management traffic blocked cause of reverse-path check

Unanswered Question
Feb 8th, 2010

Hi all,

i have a problem with "ip verify reverse-path interface inside".

We have a very restricted admin-network, where we have the admin-interfaces of several servers, firewalls and other networkstuff. The perimeter firewall to the outside (asa5580 8.2) has also the management-interface (management-only) in this admin-network. When we than have sometimes traffic from these admin-network via another firewalll through the perimeter firewall, the traffic is blocked cause of reverse-path check.

The perimeter firewall has an interface in the admin-network and is getting those traffic on the inside interface. This traffic is blocked althrough the management-interface is management-only. Of cause i could make the perimeter firewall the admin-network firewall, but i don't like that, because our admin-network is special secured and a separate physikal infrastructure.

Is there a possibility to selectivly disable the reverse check for the admin-network or to ignore the hole managment-interface for all the routing stuff?




Internet ------ Firewall ------------- inside

                   T                      |

                   |        switches|otherfirewalls|server

                   |           T          T           T


tnx Joerg Vreemann

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
francisco_1 Mon, 02/08/2010 - 03:57

Joerg ,

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface.

You can disable RPF on specfic interface if you like. Also you can route all management traffic via the management interface on the ASA if you like.

jvreemann Mon, 02/08/2010 - 04:22

Hi francisco_1,

i my case hits traffic from the admin-network the inside interface and is dropped, because the firewall expects these traffic on the management-interface.

I don't want to disable RPF on the inside interface, because i would loose a important security feature.

I also don't want to make the perimeter-firewall the default gateway for these admin-network, because the admin-network is in a highly secured zone behind two other firewalls.

greetings Joerg


This Discussion

Related Content