IP Spoof Attack in CISCO ASA

Unanswered Question
Sep 8th, 2010

Hi Dudes,

Iam getting IP Spoof attack in my CISCO ASA Firewall. Though it's denying I want more dig into this.can anyone help me.

is there any way to discard this logs.

Note : I have already enable IP reverse path command to protect.

Please ref the logs

Deny IP Spoof from ( to ( on interface inside - FW LAN face ip - Syslog server IP



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
praprama Wed, 09/08/2010 - 00:32


Is the IP address the IP address of the "inside" interface of the ASA? The ASA is receving a packet on the inside interface with a source IP which is it's own and the destination IP is that of the syslog server Could you paste the output of "show route" and "show int ip brief" from the ASA?

Is the ASA sending syslogs to If so, is it connected to the "inside" interface of the ASA? If so, it seems like the there is some kind of a routing loop in the network! The device directly connected to the ASA on the "inside" interface is sending this packet back to the ASA for some reason. Please have a look the device connected to the ASA on the inside interface.

Hope this helps!!

Thanks and Regards,


tamilvanan.saravanan Thu, 09/09/2010 - 02:34

Hi Prapanch,

Thanks for you reply,

Yes u correct, The IP Address : is my ASA inside interface.

but the syslogs is not directly connected in my ASA.. It's located in Mumbai.

All my devices are synd with syslog server.

Pls advice..



tamilvanan.saravanan Thu, 09/09/2010 - 02:40


Iam getting the message id : 106016.

Currently I have the below verions

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Please advice..

praprama Thu, 09/09/2010 - 06:56


Well as i said previously my guess is that The device directly connected to the  ASA on the "inside" interface is sending this packet back to the ASA  for some reason. Please apply captures on the ASA from the ASA to the syslogs server and vice versa on the inside interface as i had said.


What is the device that is directly connected to the ASA on the inside interface, that is, in between the ASA and the syslog server. Can you get the routing table of that device and paste it here?



Nagaraja Thanthry Thu, 09/09/2010 - 07:06


Is the syslog server connected through a VPN tunnel? If it is, most likely

the next hop device is sending the packets back at the firewall (default

gateway points to firewall) without encrypting the data. Common reasons

would be a break in the tunnel or other routing issues. Please check to see

if the VPN tunnel/Routing is working as expected when you see these


Hope this helps.




This Discussion