Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

"ip verify reverse-path interface" on ASA

Hi,

I have add the "ip verify reverse-path interface <interface name>" to all my interfaces on my ASA, the syslog alerts I'm getting now are:

Deny UDP reverse path check from 192.168.1.1 to 192.168.2.2 on interface DMZ2

Deny ICMP reverse path check from 192.168.1.1 to 192.168.2.2 on interface DMZ2

What exactly is happening to produce these messages since I turned on that command?

Thanks

  • Firewalling
1 REPLY
Bronze

Re: "ip verify reverse-path interface" on ASA

This command makes the ASA to check the source of the packet comming in an interface. The firewall will see if it has a route for the source of the packed and if the route if through the interface where the packet came from.

That means, if the firewall have a route for 192.168.1.0/24 on interface inside and a packet with source 192.168.1.38 comes in interface DMZ the ASA will block it supposing it's spoofed.

1396
Views
5
Helpful
1
Replies
This widget could not be displayed.