cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
0
Helpful
1
Replies

Deny TCP reverse check message

mjsully
Level 1
Level 1

I've got an ASA with multiple interfaces on it. I've got an inside,outside, dmz1, dmz2,and dmz3. I have a static NAT for a server in the DMZ to a global inet address on the outside via:

static (dmz1,outside) 210.x.x.10 192.168.1.1

I have a server in dmz2 and also a server in dmz3, both are trying to FTP to the server in dmz1 using the "internet" address 210.x.x.x, NOT the actual dmz address. Logs show

"Deny TCP reverse path check from 210.x.x.1 (outside ip of firewall) to 210.x.x.10 on interface outside". The default route is via the outside inteface. the error seems to point to a routing issue, but I'm not sure. should these inside hosts in the other dmz's be able to talk to the ftp by using the public ip, rather than the actual ip?

1 Reply 1

Kevin Redmon
Cisco Employee
Cisco Employee

The syslog that you are seeing is related to the command 'ip verify reverse-path outside':

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1839270

This command, when applied to an interface, will confirm that the source address SHOULD be ingressing on that interface. A packet sourced from the outside IP address (presumably what every inside host was PATed to) would not be expected to enter into the outside interface.

It is not advised to use the public IP address to access a local resource. In some situations, this may cause bad xlates to be formed on the firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: