Deny IP spoof on interface inside

Unanswered Question
Jun 3rd, 2010
User Badges:


Is there a way I can allow spoofed packets from one server to another through a PIX firewall (version 8).  This is for forwarding syslog packets so the destination thinks they were send from the originating IP adrress.  But I get the following message and I can't see how to permit it.  No anti-spoofing or threat detection is turned on.

Deny IP spoof from (10.x.x.2) to Server-X on interface inside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 06/03/2010 - 09:40
User Badges:
  • Green, 3000 points or more


Do you have access to ASDM?

Can you check under Configuration, Firewall, Advanced, Anti-spoofing..

if you have it enabled for those interfaces?


infosateng Thu, 06/03/2010 - 09:45
User Badges:

I'm using a PIX 515 v8.0(4)32

I don't have anti spoofing enabled, if I enable it I get Deny UDP reverse path check from 10.x.x.2 to Server-X on interface inside

Federico Coto F... Thu, 06/03/2010 - 09:53
User Badges:
  • Green, 3000 points or more

Yes, I miss it from your original post sorry.

I'm not sure if the ASA perform anti-spoofing by default on its interfaces.

If you do enable anti-spoofing the ASA is going to verify that there's a route to the packet towards the interface in which it receive it. If there's not, it will give you that error.

Are those spoofed packets that you want to allow through the PIX exist in your network somewhere?

The ASA knows how to reach those packets throughout another interface?


infosateng Thu, 06/03/2010 - 09:56
User Badges:

Yes, the spoof packets network exist and there is a route

Federico Coto F... Thu, 06/03/2010 - 10:01
User Badges:
  • Green, 3000 points or more

I understand that purposely the range exist on another interface and you're receiving them on the inside (that's why they are spoofed packets).

However, I believe that if the PIX has a route to those packets via one interface and it receive them via another interface, the PIX will not allow those packets through (and I think there's no way to do it)... unless you don't need the route to the actual packets and put the route to the inside (but then, there are no spoofed packets anymore)

Honestly I don't see a way to allow the packets through without letting the PIX know they should come from that interface (inside in this case).

However I might be missing something...


Cameco NetworkAdmin Wed, 11/24/2010 - 20:36
User Badges:

Deny IP spoof from (10.x.x.2) to Server-X on interface inside

Is the 10.x.x2 your ASA's inside interface?

Do you have a static route that direct traffic to Sever-X to your core switch? And then have a default route on the core switch to ASA?

If so, all traffic initially from ASA will go to the core switch and then be directed back to ASA with the source address as ASA's address. ASA deems this as a snooped addresss. This happens when the Server-X route isn't on the core switch. (For example, Server-X is in remote site and the remote site is down).

Do not know how to disable this warning msg. I have the same issue in my environment.

Cameco NetworkAdmin Wed, 11/24/2010 - 21:19
User Badges:

I turned out to configure static route on the switch for all hosts the ASA needs to talk to with a bigger admin distance.

Mark Pottebaum Thu, 09/17/2015 - 12:13
User Badges:

I have the same issue with syslogs getting forwarded back across the same firewall they were generated from.  Did you find a solution?


This Discussion