Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny IP spoof event

Dear Team,

We are continuously receiving following event on Cisco PIX firewall "Deny IP spoof from (0.0.0.0) to x.x.x.x on interface intfx" .

Request you to reply to the following queries:

1. Whether the event specified can be classified as an attack?

2. Whether relevant IPS signatures available for detecting such events in the IPS device?

3. Will these events get triggered without enabling IP verify reverse-path command on the firewall?

Thanks & Regards,

Arun.L

2 REPLIES
Cisco Employee

Re: Deny IP spoof event

1. It could since this is not a valid ip source

2. There is 1104, but that is only for local-hosts. You can build your custom one as explained here http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_fwIDS.html

3. If you have the IPS signature catch this packets on the IPS then yes, the reverse patch check will not be necessary on the ASA any more.

I hope it helps.

PK

Cisco Employee

Re: Deny IP spoof event

You may collect captures and see which mac address is responsible for sending these packets and track it down and see what is wrong with it.

If it is on the inside you have good control over fixing the issue.

cap capin int inside match ip host 0.0.0.0 any

the match command will only work if you are running 7.2.4 and above on this PIX otherwise pls. use access-list to collect captures.

you can refer here:  https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0

This above command will collect a capture file names capin for all packets sourced and destined to ip address 0.0.0.0 on the inside interface.

sh cap capin detail

will give you the mac address.

Then look at the arp table to see which device owns it and see if you can track it down.

-KS

4977
Views
0
Helpful
2
Replies
CreatePlease login to create content