Spoof messages in my Cisco Pix 525

Unanswered Question
Feb 22nd, 2007

Hi, two days ago, the cisco pix's messages shows the follow:

106016: Deny IP spoof from (127.0.0.1) to 10.82.239.198 on interface WAN

106016: Deny IP spoof from (127.0.0.1) to 10.82.239.230 on interface WAN

106016: Deny IP spoof from (127.0.0.1) to 10.82.239.8 on interface WAN

106016: Deny IP spoof from (127.0.0.1) to 10.82.239.236 on interface WAN

106016: Deny IP spoof from (127.0.0.1) to 10.82.239.198 on interface WAN

106016: Deny IP spoof from (127.0.0.1) to 10.82.239.230 on interface WAN

I had revised the cisco documentation but I don't find the answer. Please, may someone help me to know what does mean this??. What I should do for fix it??. I have some risk in my network?. Thank you for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
abinjola Thu, 02/22/2007 - 09:19

hello,

well Pix is already doing its job and blocking/denying this attack

In order to find out the source of this attack you may set the captures on the firewall and then locate the offending host

Pix(config)#access-list incap permit ip host 127.0.0.1 10.82.239.0 255.255.255.0

Pix(config)#access-list incap permit ip 10.82.239.0 255.255.255.0 host 127.0.0.1

Pix(config)#capture incap access-list incap packet-length 1500 interface WAN

After setting these captures we would like to view the Captures in detail using the command :-

sh capture incap detail

the above command would help us to find out the MAC address of the culprit

using the above MAC address find out the IP address of the host in question

show arp | include 0003.ba71.67ed

inside 10.1.3.16 0003.ba71.67ed

here i assume the MAC to be 0003.ba71.67ed, but in your case it will be different (the one you will capture with the command sh capture incap detail)

Further if you would like to avoid this hitting the firewall then you may block this request on the router downstream to WAN Interface

see if it helps !

darwintovar Thu, 03/08/2007 - 07:09

Hi abinjola!,

I did this and indeed I could solve the problem.

Thousand thanks.

abinjola Thu, 03/08/2007 - 20:57

you'r welcome buddy....!

I am glad I was able to help ya...

Actions

This Discussion