Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

cisco asa 5520 how can I get rid of this spoofing

Hello all. Everytime I try to ssh to my ASA inside interface (12.12.7.36) from 10.10.2.3. I get the following error in my logs. how can I get rid of this?

Deny IP spoof from (12.12.7.36) to 10.10.2.3 on interface inside.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: cisco asa 5520 how can I get rid of this spoofing

The toplogy looks like this?

10.10.2.3---Router(.33)--(12.12.7.36)ASA---

You are seeing this message

Deny IP spoof from (12.12.7.36) to 10.10.2.3 on interface inside.

That message means that the packet that the firewall sent is coming right back to the firewall. I'd check the route on the router to see why it may be sending the packet back to the firewall. Does the router know where 10.10.2.0/24 lives?

Post the output of "sh run int" pls.

What is the GW configured on 10.10.2.3?

What other logs do you see besides the deny ip spoof for port 22 (ssh) connection?

What is the route on the 12.12.7.33 router? It is pointing its default gateway towards the ASA?

-KS

6 REPLIES
Community Member

Re: cisco asa 5520 how can I get rid of this spoofing

Seems you have...

ip verify reverse-path interface inside

Try removing it and test.

Cisco Employee

Re: cisco asa 5520 how can I get rid of this spoofing

Doesn't look like the source IP of this SSH connection lives/belongs behind the inside interface. Check "sh run route".

You can only ping, ssh, asdm or telnet to the closes interface from your source.

You cannot reach the far side interface - this is by design.

-KS

Community Member

Re: cisco asa 5520 how can I get rid of this spoofing

the source of this ssh connection lives behind the inside interface.

sh run route
route inside 10.10.2.0 255.255.255.0 12.12.7.33

Cisco Employee

Re: cisco asa 5520 how can I get rid of this spoofing

The toplogy looks like this?

10.10.2.3---Router(.33)--(12.12.7.36)ASA---

You are seeing this message

Deny IP spoof from (12.12.7.36) to 10.10.2.3 on interface inside.

That message means that the packet that the firewall sent is coming right back to the firewall. I'd check the route on the router to see why it may be sending the packet back to the firewall. Does the router know where 10.10.2.0/24 lives?

Post the output of "sh run int" pls.

What is the GW configured on 10.10.2.3?

What other logs do you see besides the deny ip spoof for port 22 (ssh) connection?

What is the route on the 12.12.7.33 router? It is pointing its default gateway towards the ASA?

-KS

Community Member

Re: cisco asa 5520 how can I get rid of this spoofing

I found a routing loop along the path to the ssh source. Fixing that resolved the issue. Thanks!!

Cisco Employee

Re: cisco asa 5520 how can I get rid of this spoofing

Awesome! Yes, exactly what I thought. Thanks for rating.

-KS

882
Views
0
Helpful
6
Replies
CreatePlease to create content