×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Deny IP spoof

Unanswered Question
Jan 6th, 2004
User Badges:

I’m getting this deny in my FW logs:


Deny IP spoof from (127.0.0.xx) to xx.xxx.xxx.xxx on interface inside.


I’ve just started to see them, what can cause this?


Thanks,


Paul Lane



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hi Paul,


This explanation might help you let me know if you need further help:


Error Message


%PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.


Explanation


This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:


Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)


Furthermore, if the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.


To further enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network.


Recommended Action:


Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.


Regards - Jay.



Paul.Lane Tue, 01/06/2004 - 09:16
User Badges:

Jay,


Thank you for your reply. It looks like the FW is discarding the packet because it's using 127.0.0.88 as the source IP address.


How do I know if the sysopt connection enforcesubnet command is enabled?


Also what should I look for to determine if an external user is trying to compromise the protected network?


Thanks,


Paul Lane



Paul,


Check your PIX config and see if you have command:


> sysopt connection enforcesubnet


If do have the above command you can disable this by issuing command no sysopt connection enforcesubnet in config mode on PIX.


For your 2nd question, see if the packet is arriving from the same source constantly and setup syslog for your PIX also, check for mis-configuration of inside clients.


Let me know how you get on.


Jay.

bfl1 Tue, 01/06/2004 - 10:43
User Badges:

What version of the FOS has "sysopt connection enforcesubnet" ?


How does this differ from the ip verify reverse-path interface command?


Thanks

Actions

This Discussion