12-28-2011 12:39 PM - edited 03-11-2019 03:07 PM
Hey, I'm having an issue accessing a box via ssh which goes through an ASA. The proper security is in place, but while doing the packet-tracer I notice that it is failing on the rpf-check. The router does have a route back to the source ip address but it goes through a different interface than which it came in on. I cannot change this, because it would take down an important part of the network. Also, I know this sounds like a stupid question, but is there a way to see if the ASA is running CEF, because I don't think it is. From the looks of it, my only option is to turn off the rpc-check on the outside interface. Is there a way I can exclude a specific IP from having to match the RPF check? I saw where the command 'ip verify unicast reverse-path' will match equal cost paths back to the source ip address, but that's only for CEF enabled devices, from what I read in the ASA configuration guide.
12-28-2011 10:51 PM
Hello John Tyler,
As soon as you have the RPF check enabled you cannot exclude a specific ip address to do not be inspected based on this, so if that is a requirement you cannot have the RPF check enabled on that interface.
I think I have read that CEF is enabled by default, and there is a command to check it, I will look it for you.
Now just to let you know remember that the ASA statefully inspects the TCP protocol so if the packets are not taking the same way you might need to configure TCP-state bypass to allow this communication.
Anyway try it without the RPF and let me know the result.
Do rate helpful posts,
Julio
12-29-2011 09:28 AM
Im off for several days ill give that a try when I get back and let u know
12-29-2011 09:37 AM
Hello,
Sure,
Let me know
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: