Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3681
Views
0
Helpful
2
Replies

Deny IP spoof on interface inside

Sergey Drugov
Level 1
Level 1

‎06-18-2012 07:40 AM - edited ‎03-11-2019 04:20 PM

Hello,

I'm trying to attach tacacs server (ACS Version 5.2) in server group on ASA 5520 (Version 8.4). When I test connection in ASDM (Version 6.4) between ASA and ACS it fails. The log message on ASA is:

%ASA-2-106016: Deny IP spoof from (10.8.27.126) to 10.8.48.10 on interface inside.

Packet-tracer from ASA is:

InternetASA# packet-tracer input inside tcp 10.8.27.126 4444 10.8.48.10 49

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.8.48.0       255.255.255.0   inside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

What access-list or implicit rule may be the reason of denying these packets?

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎06-18-2012 04:59 PM

Hi,

for this setup the Interrface-ACLs are not relevant as they are only for through-traffic.

probably your tacacs-config is broken. Which is your TACACS-Server-address?

And provide some output:

- show run aaa-server

- show run route

- show interface ip brief

regards, Karsten

Sent from Cisco Technical Support iPad App

0 Helpful

Sergey Drugov
Level 1
Level 1
In response to Karsten Iwen

‎06-19-2012 01:29 AM

Hello Karsten,

     1. TACACS-Server-address is 10.8.48.10

     2. show run aaa-server:

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 10.8.48.10

key *****

     3. show run route

InternetASA# sh run route         

route outside 0.0.0.0 0.0.0.0 83.220.35.113 1

InternetASA# sh route | i 10.8.48.

D    10.8.48.0 255.255.255.0 [90/3072] via 10.8.27.1, 521:52:24, inside

InternetASA#

     4. show interface ip brief

InternetASA# sh int ip brie

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         unassigned      YES unset  up                    up 

GigabitEthernet0/0.127     10.8.27.126     YES CONFIG up                    up 

GigabitEthernet0/2         10.10.27.129    YES unset  up                    up 

GigabitEthernet0/3         83.220.35.125   YES CONFIG up                    up 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card