Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10653
  • Last Modified:

Deny UDP reverse path..why

hi..i am implementing a PIX site to site VPN but in my loggs i am continuously getting this message

106021: Deny udp reverse path check from 192.168.40.1 to 255.255.255.255 on interface outside
is thsi anything seriouse?
what could be the reason for this and how can i stop this?

samir
0
samprav
Asked:
samprav
  • 2
1 Solution
 
lrmooreCommented:
Here's the book answer:

%PIX-1-106021: Deny protocol reverse path check from _addr to dest_addr on interface int_name

Explanation   Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes it to be part of an attack on your PIX Firewall.

Action This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then PIX Firewall checks packets arriving from the outside.

PIX Firewall looks up a route based on the _addr. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.

If there is a route, PIX Firewall checks which interface it corresponds to. If the packet arrived on another interface, then it is a spoof or there is an asymmetric routing environment. PIX Firewall does not support asymmetric routing (where there is more than one path to a destination).

If configured on an internal interface, PIX Firewall checks static route command statements or RIP and if the _addr is not found, then an internal user is spoofing their address.

An attack is in progress. With this feature enabled, no user action is required. PIX Firewall repels the attack.


What does it mean and what can you do to stop it?
In your PIX configuration, you have the inside interface with a 172.x.x.x ip address and a default route outside. This source address of 192.168.40.1 has no route on the PIX which is causing this message. If you have another router on the inside of the PIX with the 192.168.x.x addresses, simply add another route statement to the PIX:

route inside 192.168.0.0 255.255.0.0 172.24.80.32

Above is example only since I don't know the layout of your inside network.
0
 
lrmooreCommented:
G'day, samprav
There has not been any activity on this question in 12 days.
Do you still need assistance, need more information, or have you solved your problem?
Can you close out this question?

Ways to close your questions:
http://www.apollois.com/EE/Help/Closing_Questions.htm

0
 
jaymealbrechtCommented:
I get the same thing, however, I am seeing 192.168 private addressing hitting my internal interface, that does not exist on my 10.10 network.  I get 192.168.x.1, where x changes.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now