Bruno Lopes de Souza Benchimol wrote:
> You probably can try to disable the unicast RPF feature on the ASA, i know
> how to it works on Routers but its probably pretty similar to the ASA Series
> (i also do not have one for testing... i wish i could), altough thats not
> the Best method because it Will fully disable uRPF verification.
>
> For disable uRPF you need to:
>
> * must have ip cef avaliable.
> ASA(conf)# ip cef
>
> *disable the uRPF on the desired interface:
> ASA(conf)# no ip verify unicast reverse-path
>
>
> For enhanced security you should allow only the "needed" spoofed packets to
> flow thru it... to make it properly Just set up an ACL allowing it and add
> it to the command:
> ASA(conf)# ip verify unicast reverse-path ACL
>
> I also dont really know if its goin to solve your problem because i missed
> your initial post and couldnt find it on the list anymore... you can also
> gather more information about RPF on:
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
> ur_c/fothersf/scfrpf.htm#wp1003369
>
> Tell me how that worked out for you.
I will try this at some stage, but for the moment we've given up a bit and will instead put squid on the inside interface instead of in a DMZ.
I _suspect_ that the Reverse Path Forward is not the problem, it's not so much that the packet is on the wrong interface, it's more that the cisco doesn't accept the lonely SYN/ACK; it doesn't see it as linked with the SYN. Having said that though, this is nonetheless still very useful advice, and I will try it and report back!
Thank you!
Received on Thu Dec 27 2007 - 18:39:35 MST
This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST