Query on 'ip verify reverse-path interface'

Answered Question
May 7th, 2012

Hi All,

As this command is for additional security, wondering why this is disabled by 'default' on ASA? The only reason I see is 'interface' names is not standard (can be named anything). if not, any cons of using this command?

Thanks in advance.

MS

I have this problem too.
0 votes
Correct Answer by mayrojas about 1 year 11 months ago

Hello,

It is an antispoofing mechanism that (if applied in all the internet routers and layer 3 devices) would prevent spoofing from scratch. Main issue is that some people have routes like 10.0.0.0 255.0.0.0.0 pointing to the inside and what they only have is just a /24 network, that would make any packet with a source of 10 coming from any interface (or the interface specified) to be blocked by the ASA.

However, if you know which networks should come from which interfaces there is not problem of turning it on.

Hope it helps.

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
mayrojas Mon, 05/07/2012 - 17:13

Hello,

It is an antispoofing mechanism that (if applied in all the internet routers and layer 3 devices) would prevent spoofing from scratch. Main issue is that some people have routes like 10.0.0.0 255.0.0.0.0 pointing to the inside and what they only have is just a /24 network, that would make any packet with a source of 10 coming from any interface (or the interface specified) to be blocked by the ASA.

However, if you know which networks should come from which interfaces there is not problem of turning it on.

Hope it helps.

Mike

Actions

Login or Register to take actions

This Discussion

Posted May 7, 2012 at 9:53 AM
Stats:
Replies:2 Avg. Rating:5
Views:283 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446