ASA-2-106016 on same interface, but two subnets

Unanswered Question
Feb 19th, 2014
User Badges:

Hi,


I get a strange problem here. We got another subnet from our ISP because we needed another block of IPs. Everything works fine, except one thing:


  Deny IP spoof from (XXX.XXX.XXX.XXX) to XXX.XXX.XXX.XXX on interface outside


The source IP is our main IP from our primary subnet and the destination is one of the IP in the new subnet. Do I need to add a special rule to allow this trafic??


Cisco ASA 5510

ASA Version 9.1(1)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 02/19/2014 - 13:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Could you tell us how you are using the second subnet that the ISP provided? And it might help if you would post from the config at least the parts that deal with both of the subnets? It is difficult to know if you need to add something until we know what you already have.


HTH


Rick

druideinformatique Thu, 02/20/2014 - 06:25
User Badges:

Hi Richard,


XXX.XXX.XXX is the primary subnet, YYY.YYY.YYY is the secondary.


Interface Ethernet0/1 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is off

IP address XXX.XXX.XXX.42, subnet mask 255.255.255.248


interface Ethernet0/1

nameif outside

security-level 0

ip address XXX.XXX.XXX.42 255.255.255.248


related config:


object network bloc-externe-supp

subnet YYY.YYY.YYY.32 255.255.255.248

object network YYY.YYY.YYY.34

host YYY.YYY.YYY.34


route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.41 1

route outside YYY.YYY.YYY.32 255.255.255.248 YYY.YYY.YYY.33 1

INGENIERIA Y CO... Wed, 02/19/2014 - 13:47
User Badges:

that's almost normal behavior on ASA if you don't enable the Proxy ARP on that interface and enabled anti-spoofing.


try with this.



ip verify reverse-path interface [interface_name (inside/outside/dmz)]





and this one


 arp permit-nonconnected

and this other one.


 no sysopt noproxyarp [interface_name (inside/outside/dmz)]


let us know if fix your problem !!!


had a great day!

druideinformatique Thu, 02/20/2014 - 06:28
User Badges:

Hi,


I do have "arp permit-nonconnected", but not the other two. I will try it early next week.

Actions

This Discussion