Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix Migration - Tcp reverse path check

Hi,

I have just cutover from our existing Pix 525 Firewall ( 7.2 ) to a ASA 5520 ( 8.0 )Basically l migrated the complete configuration and modified the interfaces etc.

All connections from dmz and outside interfaces are working fine. But the inside interface is not working. No internet access. I checked the logs and l was getting alot of "deny tcp reverse-path check" . I am not exactly sure why but l removed the command of the asa - " no ip verify reverse-path interface inside" and the inside interface with all hosts started working and could browse internet. Previously l had this command on the PIX and all working fine. Could someone tell me what exactly is going on and if you need to see my configuration.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Pix Migration - Tcp reverse path check

Generaly this command is use to enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the noform of this command. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

ip verify reverse-path interface interface_name

no ip verify reverse-path interface interface_name

1 REPLY
Silver

Re: Pix Migration - Tcp reverse path check

Generaly this command is use to enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the noform of this command. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

ip verify reverse-path interface interface_name

no ip verify reverse-path interface interface_name

229
Views
0
Helpful
1
Replies