Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

bma
New Member

Deny TCP reverse path check

Hi I get following message from PIX ver 7.0:

PIX-1-106021: Deny TCP reverse path check from 192.168.0.150 to 192.168.0.250 on interface dmz

106021: Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.

but extraly, we have virtual ip with netscaler in the dmz, then do http://virtual ip address, from 192.168.0.150, phisical server ip is 192.168.0.250. How to fix or disable Unicast Reverse Path Forwarding? if disable, what is happend?

Thanks

ben

6 REPLIES
Gold

Re: Deny TCP reverse path check

look for the following command in your config:

ip verify reverse-path interface ....

Although, it'd be best to figure out what was causing the log message. Basically the message means the dmz interface received a packet with the source address matching a known inside network address.

bma
New Member

Re: Deny TCP reverse path check

Thanks

Because issue, people cannot access web server with virtual address.

What should be impacted if disable ip verify reverse-path?

ben

Gold

Re: Deny TCP reverse path check

its intended as a security feature to prevent address spoofing.

should be no impact if you disable it.

New Member

Deny TCP reverse path check

hi,

Try adding a static route to the source IP towards the interface through which it comes. so that a route is present for that IP.

Sony

New Member

Deny TCP reverse path check

Guys,

Need a serious help for this antispoofing issue :

Sep  6 14:19:42 vrd-swi-asa-01-pri %ASA-6-302013: Built inbound TCP  connection 25447904 for IP-PBX-WAN:10.98.2.12/49383 (10.98.2.12/49383)  to Mitel-Front:172.20.128.5/7011 (172.20.128.5/7011)

Sep  6 14:19:42 vrd-swi-asa-01-pri %ASA-6-302014: Teardown TCP  connection 25447903 for IP-PBX-WAN:10.98.2.12/49382 to  Mitel-Front:172.20.128.5/7011 duration 0:00:00 bytes 6845 TCP FINs

Sep  6 15:09:38 vrd-swi-asa-01-pri %ASA-1-106021: Deny TCP reverse path check from 10.98.2.12 to 172.40.0.1 on interface Corp-WAN

Sep  6 15:09:38 vrd-swi-asa-01-pri %ASA-1-106021: Deny TCP reverse path check from 10.98.2.12 to 172.40.0.1 on interface Corp-WAN

These are the logs of my WAN firewall..Problem here is traffic originating from 10.98.2.12 when hitting to 172.40.0.1 is getting denied, while hitting to any other destination is allowed.

I think "ip verify reverse path" check the source IP is coming from correct interface or not, here it is coming from IP-PBX-WAN for all other traffic but why not for 172.40.0.1 ?

Please suggest.

New Member

Deny TCP reverse path check

"Ip verify reverse path" checks two things:

1. is a route present for that specific source?

2. is the packet  comming on the right interface?

I would suggest to check the routing to exclude possible assymetic routing issues. If everything looks alright then it might be a real spoofing attack.

HTH

16726
Views
10
Helpful
6
Replies