Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asynchronous routing needed - but Pix logs "connection spoof"

Hi,

we have a PIX 515 - Version 6.1(2) - in use with one external und 2 internal

interfaces.

Because of our technical structure, there are connections from outside, which go trought one internal interface in but the answers go throught the other internal interface out.

The Pix drops such connections with "Deny tcp connection spoof from X.X.X.X to Y.Y.Y.Y". First, we thought that the setting "ip verify reverse-path interface outside" was responsible. This setting was left by mistake from our old configuration. So we turned it off "no ip verify reverse-path interface outside", saved and reloaded the pix.

But the Pix continues dropping such connections.

Are there other options that generate such log entries?

(I haven't found additionals infos in the manual)

Yours

Armin Hammer

1 REPLY
Silver

Re: Asynchronous routing needed - but Pix logs "connection spoof

Is it really desired that the return traffic leave on a different interface? Or is this an indirect consequence of something else?

The pix just doesn't like asymetric routing of any kind. It's ASA doesn't know how to handle it.

Creative nat and Policy routing in front of or behind the Pix can take care of routing problems so that traffic comes and goes throught the "correct" interface.

172
Views
5
Helpful
1
Replies
CreatePlease login to create content