Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

RPF-Check on ASA 5520 8.0 code

Hey, I'm having an issue accessing a box via ssh which goes through an ASA. The proper security is in place, but while doing the packet-tracer I notice that it is failing on the rpf-check. The router does have a route back to the source ip address but it goes through a different interface than which it came in on. I cannot change this, because it would take down an important part of the network. Also, I know this sounds like a stupid question, but is there a way to see if the ASA is running CEF, because I don't think it is. From the looks of it, my only option is to turn off the rpc-check on the outside interface. Is there a way I can exclude a specific IP from having to match the RPF check? I saw where the command 'ip verify unicast reverse-path' will match equal cost paths back to the source ip address, but that's only for CEF enabled devices, from what I read in the ASA configuration guide.

3 REPLIES

RPF-Check on ASA 5520 8.0 code

Hello John Tyler,

As soon as you have the RPF check enabled you cannot exclude a specific ip address to do not be inspected based on this, so if that is a requirement you cannot have the RPF check enabled on that interface.

I think I have read that CEF is enabled by default, and there is a command to check it, I will look it for you.

Now just to let you know remember that the ASA statefully inspects the TCP protocol so if the packets are not taking the same way you might need to configure TCP-state bypass to allow this communication.

Anyway try it without the RPF and let me know the result.

Do rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

RPF-Check on ASA 5520 8.0 code

Im off for several days ill give that a try when I get back and let u know

RPF-Check on ASA 5520 8.0 code

Hello,

Sure,

Let me know

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
694
Views
0
Helpful
3
Replies
CreatePlease to create content