×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Deny ip Spoof

Unanswered Question
Jan 25th, 2007
User Badges:

Hi,

I'm using an ASA5510. I want enable VPN-Client Access, but there is always the Message: "Deny ip Spoof from (..) on Interface outside". I'm also not able to ping this device. ACL's are open and the command:

icmp permit any unreachable outside

icmp permit any outside


Could someone give me a solution?


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Thu, 01/25/2007 - 22:07
User Badges:
  • Red, 2250 points or more

Hello reto,


what is the source of the spoof attack coming from ?? if it is one of these, then the PIX blocks all the spoof traffic by default, since thats the way it is supposed to work:


1) 127.0.0.1 - loopback

2) broadcast address

3) land.c subnets - your same network...


If it is something else, we have to analyse what IP is that and see if it is required.. Are you not able to connect to the PIX outside at all from the internet ?? this should not be the case.. can you do a tracert and find out where it is dropping ?? Are there any other log messages on the PIX ?? Try going to internet through a laptop.. take the IP of that laptop and connect to PIX. see if there are any packets hitting the firewall with that laptop's IP ... am sure you can nail down the issue...


Hope this helps.. let us know..


Raj

Actions

This Discussion