Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
3
Replies

RPF-Check on ASA 5520 8.0 code

JohnTylerPearce
Level 7
Level 7

‎12-28-2011 12:39 PM - edited ‎03-11-2019 03:07 PM

Hey, I'm having an issue accessing a box via ssh which goes through an ASA. The proper security is in place, but while doing the packet-tracer I notice that it is failing on the rpf-check. The router does have a route back to the source ip address but it goes through a different interface than which it came in on. I cannot change this, because it would take down an important part of the network. Also, I know this sounds like a stupid question, but is there a way to see if the ASA is running CEF, because I don't think it is. From the looks of it, my only option is to turn off the rpc-check on the outside interface. Is there a way I can exclude a specific IP from having to match the RPF check? I saw where the command 'ip verify unicast reverse-path' will match equal cost paths back to the source ip address, but that's only for CEF enabled devices, from what I read in the ASA configuration guide.

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-28-2011 10:51 PM

Hello John Tyler,

As soon as you have the RPF check enabled you cannot exclude a specific ip address to do not be inspected based on this, so if that is a requirement you cannot have the RPF check enabled on that interface.

I think I have read that CEF is enabled by default, and there is a command to check it, I will look it for you.

Now just to let you know remember that the ASA statefully inspects the TCP protocol so if the packets are not taking the same way you might need to configure TCP-state bypass to allow this communication.

Anyway try it without the RPF and let me know the result.

Do rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to Julio Carvajal

‎12-29-2011 09:28 AM

Im off for several days ill give that a try when I get back and let u know

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to JohnTylerPearce

‎12-29-2011 09:37 AM

Hello,

Sure,

Let me know

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card