I have an odd scenario but need help with anti-spoofing on my outside interface. I have a subnet of our network IPs outside my firewall that needs allowed inside. I had do disable anti-spoofing on my outside interface to allow this subnet into our network or it was seen as being spoofed and dropped. I need to get anti-spoofing enabled but I need to not have anti-spoofing used on that subnet. Help!
It is not possible to disable antispoofing for a select subnet as the ASA uses its routing table for these checks. So you might want to try putting static routes to those IPs...that is if the subnet is not directly connected to the ASA.
Another thing you could do, as a work-around, is to confiugre deny rules for your LAN subnets but explicitly permit the IPs that are on the outside interface then apply that ACL to your outside interface.
Please remember to select a correct answer and rate helpful posts
Please remember to rate and select a correct answer
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...