cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
297
Views
0
Helpful
1
Replies

Spoofing message AS 5520

tverhoeven
Level 1
Level 1

We use our ASA as a VPN concentrator and I am seeing a ton of messages that read

Deny IP spoof from (0.0.0.1) to 10.x.2.91 on interface UntrustedDMZ

The 10.x.x.x address is a user on the vpn logged in from a hotel. he tells me that he only has outlook open at this point. Any idea what might be causing this message. Ciscoworks reports over 1200 messages already today from this one user.

thanks

1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

First 0.0.0.1 is not internet routable so it could be anything in your DMZ, you will need to use packet capture to track the source MAC address of 0.0.0.1 that is comming from your untrustedDMZ network.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895

asafw(config)#access-list incap permit ip host 0.0.0.1 host 10.x.2.91

asafw(config)#access-list incap permit ip host 10.x.2.91 host 0.0.0.1

asafw(config)#capture incap access-list incap packet-length 1500 interface UntrustedDMZ

asafw#show capture incap detail

the show capture should provide MAC address information from 0.0.0.1, save the output of show capture detail and note the MAC for 0.0.0.1

then track mac address

asafw#show arp | inc ( should privide with mac address and location on the untrustedDMZ )

Once you collect information

remove incap acl

no access-list incap permit ip host 0.0.0.1 host 10.x.2.91

no access-list incap permit ip host 10.x.2.91 host 0.0.0.1

and disable capture

no capture incap

here is also some good resource

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Let us know what you have found.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: