Spoofing message AS 5520

Unanswered Question

We use our ASA as a VPN concentrator and I am seeing a ton of messages that read

Deny IP spoof from (0.0.0.1) to 10.x.2.91 on interface UntrustedDMZ


The 10.x.x.x address is a user on the vpn logged in from a hotel. he tells me that he only has outlook open at this point. Any idea what might be causing this message. Ciscoworks reports over 1200 messages already today from this one user.


thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 11/28/2008 - 15:36
User Badges:
  • Green, 3000 points or more

First 0.0.0.1 is not internet routable so it could be anything in your DMZ, you will need to use packet capture to track the source MAC address of 0.0.0.1 that is comming from your untrustedDMZ network.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895


asafw(config)#access-list incap permit ip host 0.0.0.1 host 10.x.2.91

asafw(config)#access-list incap permit ip host 10.x.2.91 host 0.0.0.1

asafw(config)#capture incap access-list incap packet-length 1500 interface UntrustedDMZ


asafw#show capture incap detail


the show capture should provide MAC address information from 0.0.0.1, save the output of show capture detail and note the MAC for 0.0.0.1


then track mac address


asafw#show arp | inc ( should privide with mac address and location on the untrustedDMZ )


Once you collect information

remove incap acl

no access-list incap permit ip host 0.0.0.1 host 10.x.2.91

no access-list incap permit ip host 10.x.2.91 host 0.0.0.1


and disable capture

no capture incap


here is also some good resource

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml


Let us know what you have found.


Rgds

Jorge



Actions

This Discussion