Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5510, ip verify reverse-path

Per cisco documentation:

"IP Verify Reverse-Path

Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entity's local routing table. If an exiting packet does not arrive on the best return path back to the originator, then the packet is dropped and the activity is logged."

Does this mean that if the packet does not have a route in the ASA route table, either dynamic or static, it will be rejected?

For example, all remote branches use the main branch for Internet access, as long as the ASA knows the remote branch from it's own route table, then the return packets will be allowed back to the branch.

Is this correct?


Re: ASA5510, ip verify reverse-path

No - the below is taken from:-

The ip verify reverse-path command is a security feature that does a route lookup based on the source address. Usually, the route lookup is based on the destination address. This is why it is called reverse path forwarding. With this command enabled, packets are dropped if there is no route found for the packet or the route found does not match the interface on which the packet arrived.

The ip verify reverse-path command lets you specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides Unicast Reverse Path Forwarding (Unicast RPF) functionality for the PIX Firewall.

The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.

Because of the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this risk when possible. Unicast RPF, or reverse route lookup, prevents such manipulation under certain circumstances.

Community Member

Re: ASA5510, ip verify reverse-path


So if I modify my statement to the below, it will be correct?:

Does this mean that if the packet does not have a route in the ASA route table, either dynamic or static,with a path back to the source on the interface it arrived, it will be rejected?

CreatePlease to create content