Hey, I'm having an issue accessing a box via ssh which goes through an ASA. The proper security is in place, but while doing the packet-tracer I notice that it is failing on the rpf-check. The router does have a route back to the source ip address but it goes through a different interface than which it came in on. I cannot change this, because it would take down an important part of the network. Also, I know this sounds like a stupid question, but is there a way to see if the ASA is running CEF, because I don't think it is. From the looks of it, my only option is to turn off the rpc-check on the outside interface. Is there a way I can exclude a specific IP from having to match the RPF check? I saw where the command 'ip verify unicast reverse-path' will match equal cost paths back to the source ip address, but that's only for CEF enabled devices, from what I read in the ASA configuration guide.
As soon as you have the RPF check enabled you cannot exclude a specific ip address to do not be inspected based on this, so if that is a requirement you cannot have the RPF check enabled on that interface.
I think I have read that CEF is enabled by default, and there is a command to check it, I will look it for you.
Now just to let you know remember that the ASA statefully inspects the TCP protocol so if the packets are not taking the same way you might need to configure TCP-state bypass to allow this communication.
Anyway try it without the RPF and let me know the result.
Do rate helpful posts,
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...