Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA capture utility / IP spoof

Hello,

I had received couple of notifications from ASA regarding IP spoof attempts:

:Jul 21 14:06:56 EDT: %ASA-session-2-106016: Deny IPspoof from (127.0.0.1) to 64.x.x.x on interface inside

I wanted to get some more info to eliminate any infected clients on my internal network. I research this forum and configured access list to capture suspicious traffic:

ciscoasa(config)#access-list incap permit ip host 127.0.0.1 any
ciscoasa(config)#access-list incap permit ip any host 127.0.0.1
ciscoasa(config)#capture incap access-list incap interface inside

Could somone tell me if I had done it correctly?

Here's the result of the "show capture incap":

6 packets captured

   1: 12:13:25.984049 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840 <mss 1460,sackOK,timestamp 191385139 0,nop,wscale 0>
   2: 12:13:28.975047 127.0.0.1.37948 > 65.x.x.x.80: S 662274405:662274405(0) win 5840 <mss 1460,sackOK,timestamp 191385439 0,nop,wscale 0>
   3: 12:16:45.147239 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840 <mss 1460,sackOK,timestamp 191405056 0,nop,wscale 0>
   4: 12:16:48.137764 127.0.0.1.38511 > 65.x.x.x.80: S 850947795:850947795(0) win 5840 <mss 1460,sackOK,timestamp 191405356 0,nop,wscale 0>
   5: 14:06:53.636197 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840 <mss 1460,sackOK,timestamp 243907855 0,nop,wscale 0>
   6: 14:06:56.629789 127.0.0.1.53661 > 64.x.x.x.80: S 984711035:984711035(0) win 5840 <mss 1460,sackOK,timestamp 243908155 0,nop,wscale 0>
6 packets shown

  How can I indentify the offending host on my inside network? Also the x-ed public IPs point to one of the local businesses and seems that it's their totally unsecured IIS server. Is it ok to contact the company's IT dept regarding this? or report it somewhre else?

Thank you,

forman

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ASA capture utility / IP spoof

Hi Forman,

No worries. If the capture is still in the ASA's memory, take a look at 'show capture detail' and the MAC address on the packets will be shown.

-Mike

Cisco Employee

Re: ASA capture utility / IP spoof

you can do show cap capname detail

Cisco Employee

Re: ASA capture utility / IP spoof

You can either download the PCAP file of the capture, that would give you the full information, and you can view it with ethereal or wireshark. OR/ alternatively you can also do "show capture incap detail" and it will give you the mac address information as well.

9 REPLIES
Cisco Employee

Re: ASA capture utility / IP spoof

Hi Forman,

You could try looking at the MAC address of the offender and tracing it back through your switch to find out what machine it is coming from. Depending on your environment though (for example, if the host is a wireless client), this might not be too helpful. If the attacker can spoof their IP address, they could also be spoofing their MAC address.

Hope that helps.

-Mike

Community Member

Re: ASA capture utility / IP spoof

Thanks Mike. I think I'm missing something obvious here... How can I find the MAC address of the offender?

Sorry if this sounds ignorant, but I don't have much experience with ASA.

thanks again

forman

Cisco Employee

Re: ASA capture utility / IP spoof

Hi Forman,

No worries. If the capture is still in the ASA's memory, take a look at 'show capture detail' and the MAC address on the packets will be shown.

-Mike

Cisco Employee

Re: ASA capture utility / IP spoof

you can do show cap capname detail

Cisco Employee

Re: ASA capture utility / IP spoof

also i would not expect to see any traffic from this local loopback ip 127.0.0.1 on any interface of firewall

so i guess you should block this ip on all interfaces as many virus/scanning hosts use this ip as source and also i cannot think of any legitimate traffic using this ip

probably someone can confirm this

Cisco Employee

Re: ASA capture utility / IP spoof

You can either download the PCAP file of the capture, that would give you the full information, and you can view it with ethereal or wireshark. OR/ alternatively you can also do "show capture incap detail" and it will give you the mac address information as well.

Community Member

Re: ASA capture utility / IP spoof

Thank you everyone for help!

Community Member

Re: ASA capture utility / IP spoof

1 more question: what's the interprentation of this line (sh capture incap detail):

   1: 12:13:25.98404 MAC1 MAC2 0x0800 74: 127.0.0.1.37948 >   65.x.x.x.80: S [tcp sum ok] 662274405:662274405(0) win 5840 (DF) (ttl 64, id 53078)

There are 2 MAC addresses involved: MAC2 is ASA Inside Int and MAC1 is web filter connected directly to ASA's Inside Int. What's exactly happaning here? I assume that the offending device is a web filter, correct? I don't think that there's anything I can do to eliminate this (other than completely blocking traffic to/from loopback int) ?

thanks

forman

Cisco Employee

Re: ASA capture utility / IP spoof

127.0.0.1 is a loopback ip address. As you advised, that MAC 1 belongs to the web filtering server mac address, you might want to check why it's sending traffic sourcing from its loopback address (127.0.0.1)

Here is more information on what that particular syslog actually means:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768961

1046
Views
0
Helpful
9
Replies
CreatePlease to create content