01-14-2011 08:52 PM - edited 03-11-2019 12:35 PM
Hello all. Everytime I try to ssh to my ASA inside interface (12.12.7.36) from 10.10.2.3. I get the following error in my logs. how can I get rid of this?
Deny IP spoof from (12.12.7.36) to 10.10.2.3 on interface inside.
Solved! Go to Solution.
01-15-2011 09:36 AM
The toplogy looks like this?
10.10.2.3---Router(.33)--(12.12.7.36)ASA---
You are seeing this message
Deny IP spoof from (12.12.7.36) to 10.10.2.3 on interface inside.
That message means that the packet that the firewall sent is coming right back to the firewall. I'd check the route on the router to see why it may be sending the packet back to the firewall. Does the router know where 10.10.2.0/24 lives?
Post the output of "sh run int" pls.
What is the GW configured on 10.10.2.3?
What other logs do you see besides the deny ip spoof for port 22 (ssh) connection?
What is the route on the 12.12.7.33 router? It is pointing its default gateway towards the ASA?
-KS
01-14-2011 08:57 PM
Seems you have...
ip verify reverse-path interface inside
Try removing it and test.
01-15-2011 07:03 AM
Doesn't look like the source IP of this SSH connection lives/belongs behind the inside interface. Check "sh run route".
You can only ping, ssh, asdm or telnet to the closes interface from your source.
You cannot reach the far side interface - this is by design.
-KS
01-15-2011 08:55 AM
the source of this ssh connection lives behind the inside interface.
sh run route
route inside 10.10.2.0 255.255.255.0 12.12.7.33
01-15-2011 09:36 AM
The toplogy looks like this?
10.10.2.3---Router(.33)--(12.12.7.36)ASA---
You are seeing this message
Deny IP spoof from (12.12.7.36) to 10.10.2.3 on interface inside.
That message means that the packet that the firewall sent is coming right back to the firewall. I'd check the route on the router to see why it may be sending the packet back to the firewall. Does the router know where 10.10.2.0/24 lives?
Post the output of "sh run int" pls.
What is the GW configured on 10.10.2.3?
What other logs do you see besides the deny ip spoof for port 22 (ssh) connection?
What is the route on the 12.12.7.33 router? It is pointing its default gateway towards the ASA?
-KS
01-15-2011 12:36 PM
I found a routing loop along the path to the ssh source. Fixing that resolved the issue. Thanks!!
01-15-2011 02:08 PM
Awesome! Yes, exactly what I thought. Thanks for rating.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: