Turn off IP Spoof Protection? (Cisco ASA 5505)

[Tommouse]

Is there a way to turn off the IP Spoofing protection in a Cisco ASA 5505?

I have already turned off "ip verify reverse-path" as that was blocking the traffic initially. I was getting this in the Syslogs - "Deny TCP reverse path check from 10.245.6.1 to 192.168.6.25 on interface inside"
Now with that off I get this in my Syslogs - "Deny IP spoof from (10.245.6.1) to 192.168.6.25 on interface inside"

For clarification the inside interface has the 10.245.6.1 IP. I know if I do turn this off I run the risk of creating a routing loop, but I'm hoping that it will get snagged by the VPN tunnel before hitting the "normal" routing table (for lack of a better term).

The short version of why the hell I would want to do such a thing is to enable Remote Access VPN on a branch office, where the AD server is located back over a VPN link. But unfortunately when I try to specify the AD server via the inside our outside interface they both fail to be routed properly. So I'm attempting to hairpin the traffic around with a switch(doing routing) that we have at the office to make the traffic be routed over the VPN.

Or if anyone else has an idea on how to do this, I'm all ears.

Hopefully this all makes sense

 

[Tommouse]

A bump for the Monday morning crew

 

[spidey07]

It's been a while but I don't think that you can. That would go against the entire ASA algorithm. It sounds like you need to fix the overall routing because you shouldn't have to jump through these kinds of hoops.

It sounds like you are terminating a remote access VPN tunnel on an ASA, then then wanting that traffic to be sent over another VPN? That shouldn't be a problem if your source lists for vpn are correct. Or you could always just call Cisco.

 

[Tommouse]

Got it to work!

Well not the disabling of IP Spoof, but what I actually wanted to get done.

Spidey's comment made me think about it a bit differently for a sec, and it occurred to me that I never tried to send the traffic from the outside interface over the tunnel. As in my head I think of traffic leaving that interface and going directly to the Internet, I never really thought to try to tunnel that traffic over the VPN. But I gave it a go, and traffic arrived back at HQ. I made up a visio, as I was about to make a TAC request, and pictures normally help, but it's working now so there is no need. But thought I would share, anyways. The pic will probably do a better job of explaining what I was trying to do anyways

Pic

 

[spidey07]

Good deal. Simple is usually best.

 

[Tommouse]

Oh no doubt about that! I knew what I was trying to do was a dirty kludge, I just never thought to tunnel traffic from the outside interface before. The outside interface is always "dirty" so I didn't even want to try it, but low and behold the traffic got shot over the tunnel. So we're good to go