Deny IP spoof on interface inside

Unanswered Question
Jun 3rd, 2010

Hello

Is there a way I can allow spoofed packets from one server to another through a PIX firewall (version 8).  This is for forwarding syslog packets so the destination thinks they were send from the originating IP adrress.  But I get the following message and I can't see how to permit it.  No anti-spoofing or threat detection is turned on.

Deny IP spoof from (10.x.x.2) to Server-X on interface inside

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 06/03/2010 - 09:40

Hi,

Do you have access to ASDM?

Can you check under Configuration, Firewall, Advanced, Anti-spoofing..

if you have it enabled for those interfaces?

Federico.

infosateng Thu, 06/03/2010 - 09:45

I'm using a PIX 515 v8.0(4)32

I don't have anti spoofing enabled, if I enable it I get Deny UDP reverse path check from 10.x.x.2 to Server-X on interface inside

Federico Coto F... Thu, 06/03/2010 - 09:53

Yes, I miss it from your original post sorry.

I'm not sure if the ASA perform anti-spoofing by default on its interfaces.

If you do enable anti-spoofing the ASA is going to verify that there's a route to the packet towards the interface in which it receive it. If there's not, it will give you that error.

Are those spoofed packets that you want to allow through the PIX exist in your network somewhere?

The ASA knows how to reach those packets throughout another interface?

Federico.

Federico Coto F... Thu, 06/03/2010 - 10:01

I understand that purposely the range exist on another interface and you're receiving them on the inside (that's why they are spoofed packets).

However, I believe that if the PIX has a route to those packets via one interface and it receive them via another interface, the PIX will not allow those packets through (and I think there's no way to do it)... unless you don't need the route to the actual packets and put the route to the inside (but then, there are no spoofed packets anymore)

Honestly I don't see a way to allow the packets through without letting the PIX know they should come from that interface (inside in this case).

However I might be missing something...

Federico.

Cameco NetworkAdmin Wed, 11/24/2010 - 20:36

Deny IP spoof from (10.x.x.2) to Server-X on interface inside

Is the 10.x.x2 your ASA's inside interface?

Do you have a static route that direct traffic to Sever-X to your core switch? And then have a default route on the core switch to ASA?

If so, all traffic initially from ASA will go to the core switch and then be directed back to ASA with the source address as ASA's address. ASA deems this as a snooped addresss. This happens when the Server-X route isn't on the core switch. (For example, Server-X is in remote site and the remote site is down).

Do not know how to disable this warning msg. I have the same issue in my environment.

Cameco NetworkAdmin Wed, 11/24/2010 - 21:19

I turned out to configure static route on the switch for all hosts the ASA needs to talk to with a bigger admin distance.

Mark Pottebaum Thu, 09/17/2015 - 12:13

I have the same issue with syslogs getting forwarded back across the same firewall they were generated from.  Did you find a solution?

Actions

This Discussion