Deny IP Spoofing - ASA

Unanswered Question
Oct 6th, 2009
User Badges:

Hi all,

Currently i am running a Cisco ASA v8.0 IOS w/ UR license.

I have a web server running behind the ASA (In the DMZ network) and an inside network (with access to the internet).

I do run a host -monitoring software which polls the corporate website on my company.

However recently, i noticed that the PCs within the inside network are not able to access the corporate website.

Upon checking up the logs, this is what i get :

Deny IP spoof from (203.X.X.X) to 58.X.X.X on interface outside

The 203.X.X.X is my legitimate WAN address for those in the inside network where as 58.X.X.X would refer to the WAN IP for the corp web.

This is affecting me from monitoring the status of my corp web.

Other users with other IPs are able to view my website with no issues. Is there any way i can stop the ASA from denying the legitimate IP?

It worked fine previously but it started having problems ever since i tried to implement a web application firewall.

I have since removed the web app firewall and rolled - backed to the previous network configuration, but starting having this problem ever since then.

Your help is very much appreciated!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Wed, 10/07/2009 - 00:12
User Badges:
  • Silver, 250 points or more

It seems the packets from the subnet 203.X.X.X are not coming to the correct interface on the ASA.

The route for the subnet 203.X.X.X on the ASA is on some other interface.

uzair syed naveed Wed, 10/07/2009 - 03:26
User Badges:

use this command in your configuration...

" ip verify reverse-path interface outside "

This command help to prevent ip spoofing attacks arising from the outside interface.


This Discussion