Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny TCP reverse check message

I've got an ASA with multiple interfaces on it. I've got an inside,outside, dmz1, dmz2,and dmz3. I have a static NAT for a server in the DMZ to a global inet address on the outside via:

static (dmz1,outside) 210.x.x.10 192.168.1.1

I have a server in dmz2 and also a server in dmz3, both are trying to FTP to the server in dmz1 using the "internet" address 210.x.x.x, NOT the actual dmz address. Logs show

"Deny TCP reverse path check from 210.x.x.1 (outside ip of firewall) to 210.x.x.10 on interface outside". The default route is via the outside inteface. the error seems to point to a routing issue, but I'm not sure. should these inside hosts in the other dmz's be able to talk to the ftp by using the public ip, rather than the actual ip?

1 REPLY
Cisco Employee

Re: Deny TCP reverse check message

The syslog that you are seeing is related to the command 'ip verify reverse-path outside':

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1839270

This command, when applied to an interface, will confirm that the source address SHOULD be ingressing on that interface. A packet sourced from the outside IP address (presumably what every inside host was PATed to) would not be expected to enter into the outside interface.

It is not advised to use the public IP address to access a local resource. In some situations, this may cause bad xlates to be formed on the firewall.

863
Views
0
Helpful
1
Replies