Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2452
Views
5
Helpful
2
Replies

ASA5510, ip verify reverse-path

wilson_1234_2
Level 3
Level 3

‎01-12-2009 06:56 AM - edited ‎03-11-2019 07:35 AM

Per cisco documentation:

"IP Verify Reverse-Path

Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entity's local routing table. If an exiting packet does not arrive on the best return path back to the originator, then the packet is dropped and the activity is logged."

Does this mean that if the packet does not have a route in the ASA route table, either dynamic or static, it will be rejected?

For example, all remote branches use the main branch for Internet access, as long as the ASA knows the remote branch from it's own route table, then the return packets will be allowed back to the branch.

Is this correct?

Labels:
0 Helpful
2 Replies 2

andrew.prince
Level 10
Level 10

‎01-12-2009 08:24 AM

No - the below is taken from:- http://www.cisco.com/en/US/docs/security/pix/pix62/command/reference/gl.html#wp1053009

The ip verify reverse-path command is a security feature that does a route lookup based on the source address. Usually, the route lookup is based on the destination address. This is why it is called reverse path forwarding. With this command enabled, packets are dropped if there is no route found for the packet or the route found does not match the interface on which the packet arrived.

The ip verify reverse-path command lets you specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides Unicast Reverse Path Forwarding (Unicast RPF) functionality for the PIX Firewall.

The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.

Because of the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this risk when possible. Unicast RPF, or reverse route lookup, prevents such manipulation under certain circumstances.

wilson_1234_2
Level 3
Level 3
In response to andrew.prince

‎01-12-2009 09:49 AM

Ok,

So if I modify my statement to the below, it will be correct?:

Does this mean that if the packet does not have a route in the ASA route table, either dynamic or static,with a path back to the source on the interface it arrived, it will be rejected?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card