Pity the ASA log doesnt say why it failed anti-spoofing,just that it did and on what interface it came in on. How hard could it be for the log to say it failed because it was expecting it on interface A, but it came in interface B!!!
If you are troubleshooting someone elses network that you dont know where subnet sits, its not the easiest thing to do.
Sadly again as the ASA doesnt allow you to do a show route x.x.x.x without specifying an interface. So all i did was check the route against the interface it came in on and the route was a match. What i didnt know was that there was a more specific route on a different interface.
Should have been simple to spot? Well the log only gives the host that fails, (not the network which is understandable) but if you do a sh route on an ASA and all the networks have been given name, you cant match it!
What should have been a simple troubleshooting exercise was made difficult by the ASA coding in my opinion.
In short, the answer was assymetric routing, as another interface had a more specific route.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...