Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny IP Spoof on two internal addresses

I am running into an issue that I cant figure out. I have a ASA that is connected to my internet connection. Connected to the ASA I have 192.168.2.0/24 as my normal home network. I attached a 881W to one of the ASA ports with the network of 192.168.3.0/24. I have been unable to get communications to the Internet on the 192.168.3 network. I brought up packet tracer and the log viewer and started to see these

%ASA-2-106016: Deny IP spoof from (192.168.2.1) to 192.168.3.10 on interface inside

Any help with my problem would be greatly appreciated. Here is my ASA config. I have edited out any sensitive data.

ASA Version 9.0(1)

!

hostname ciscoasa

enable password .ITHiMtVZPEIt5Ee encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd  encrypted

names

ip local pool VPN 192.168.2.45-192.168.2.50 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport monitor Ethernet0/0

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa901-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service Bittorrent

service udp destination eq 51413

description bittorrent traffic

object network Transmission

host 192.168.2.8

description NAS4Free server

object network IPCameras

range 192.168.2.30 192.168.2.33

description IP Cameras

object network CiscoLab

subnet 192.168.10.0 255.255.255.0

description Network Lab

object network Switches

range 192.168.2.253 192.168.2.254

description Network Switches

object network ESXi

host 192.168.2.6

description ESXI server

object network Windows2k8

host 192.168.2.11

description Windows 2008 running Plixer software

object service NetFlow-2055

service udp destination eq 2055

object service NetFlow-555

service udp destination eq 555

object service NetFlow-9995

service udp destination eq 9995

object service NetFlow-9996

service udp destination eq 9996

object network CIF

host 192.168.2.13

description Collective Intelligence Framework

object network SiLK

host 192.168.2.3

description SiLK flow collector

object network laelapssecurity.com

host 50.87.102.183

description Just Host hosting site.

object service MySQL

service tcp destination eq 3306

description MySQL

object service NCListener

service tcp destination eq 4444

object network laelapsNetwork

subnet 192.168.3.0 255.255.255.0

description Laelaps Network connected to Cisco 881w

object-group service Torrent udp

description Bittorrent traffic

port-object eq 51413

object-group network APT

description APT IP addreses

network-object host 96.44.136.115

network-object host 119.91.241.30

network-object host 66.153.86.14

network-object host 218.210.49.203

object-group service NetFlow

description NetFlow

service-object object NetFlow-2055

service-object object NetFlow-555

service-object object NetFlow-9995

service-object object NetFlow-9996

object-group service minidlna tcp

description Minidlna streaming port

port-object eq 8200

object-group service Alternate_HTTPS tcp

description alternate https port for CIF comms

port-object eq 8443

object-group network BlockIPs

description IPs to block from Alienvault alerts

network-object host 114.247.134.7

network-object host 89.19.240.79

network-object host 1.232.34.242

network-object host 220.60.110.25

access-list outside_access_in extended deny ip object-group BlockIPs any

access-list outside_access_in remark Blocking APT actors

access-list outside_access_in extended deny tcp object-group APT any eq ssh

access-list outside_access_in remark Bittorrent traffic

access-list outside_access_in extended permit object Bittorrent any object Transmission

access-list outside_access_in remark ICMP to Transmission

access-list outside_access_in extended permit icmp any4 object Transmission

access-list outside_access_in extended permit object MySQL object laelapssecurity.com object SiLK

access-list outside_access_in extended permit tcp any object CIF eq ssh

access-list outside_access_in remark Communications to CIF from external

access-list outside_access_in extended permit tcp any object CIF eq 8443

access-list outside_access_in extended permit object NCListener any object CIF

access-list outside_access_in extended permit tcp any object Transmission eq 8200 inactive

access-list outside_access_in extended deny ip any any

access-list inside_access_in extended deny ip any object-group APT

access-list inside_access_in extended permit icmp 192.168.2.0 255.255.255.0 object laelapsNetwork inactive

access-list inside_access_in extended permit icmp object laelapsNetwork 192.168.2.0 255.255.255.0 inactive

access-list inside_access_in extended permit ip object laelapsNetwork any

access-list inside_access_in extended permit ip any any

access-list inside_access_in_1 extended permit ip any4 any4

access-list Local_Lan_Access remark Local Lan access

access-list Local_Lan_Access standard permit any4

access-list global_access extended permit icmp 192.168.2.0 255.255.255.0 object laelapsNetwork inactive

access-list global_access extended permit icmp object laelapsNetwork 192.168.2.0 255.255.255.0 inactive

pager lines 24

logging enable

logging timestamp

logging trap debugging

logging asdm debugging

logging from-address cisco@laelapssecurity.com

logging recipient-address don@laelapssecurity.com level errors

logging facility 23

logging host inside 192.168.2.5

logging host inside 192.168.2.15

flow-export destination inside 192.168.2.15 555

flow-export destination inside 192.168.2.5 555

flow-export template timeout-rate 1

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network Transmission

nat (inside,outside) static interface service udp 51413 51413

object network CIF

nat (any,outside) static interface

object network SiLK

nat (any,outside) static interface

access-group inside_access_in_1 in interface inside control-plane

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

!

router ospf 20

network 192.168.2.0 255.255.255.0 area 10

area 10 range 192.168.2.0 255.255.255.0

log-adj-changes

!

router eigrp 10

no auto-summary

eigrp router-id 192.168.2.1

network 192.168.2.0 255.255.255.0

passive-interface outside

!

router rip

network 192.168.2.0

passive-interface outside

version 2

no auto-summary

!

route inside 192.168.3.0 255.255.255.0 192.168.2.50 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record test

network-acl inside_access_in_1

webvpn

  url-list value Home

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

http authentication-certificate outside

snmp-server host inside

snmp-server host inside

snmp-server location

snmp-server contact

snmp-server community

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

keypair laelaps

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

certificate 1e839a51

    308201cf 30820138 a0030201 0202041e 839a5130 0d06092a 864886f7 0d010105

    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

    86f70d01 09021608 63697363 6f617361 301e170d 31333035 32323131 34333439

    5a170d32 33303532 30313134 3334395a 302c3111 300f0603 55040313 08636973

    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 8181008b f6c89634

    6487d8c9 e5aea221 eeffd3da 11575d7a 2075abd1 7f6aa914 0c59a564 ed7e7791

    7f2b1631 6314a475 b2e8f5d7 c4bac460 e41c724d 6653f513 9b6e6584 a079e37d

    e87dde2a 39d20317 96cb5455 c275ef53 8e576276 5cc4b395 f0ce6e0a cf4f3c64

    8f7f0aca 663d8e64 4c127308 7c7a5f98 0a3da425 da223824 881fcb02 03010001

    300d0609 2a864886 f70d0101 05050003 81810006 d6757674 3dbfce09 9c0eb595

    57363440 ba8e3c4b 37d8c7b9 1960e743 e2447162 5e7df9bc b5d2ab57 95b8582f

    0c87263d 1c9bdaf3 c6ad0d0d 8140b3ed c7a7c3a5 1060d18b 389c8452 f6e74099

    0cd89a36 d730d377 653a47de e2c62279 e3debabb 0e87eb27 e6cb3107 e66e7bde

    462e7fd3 17b444e0 ad89997e f9a069d3 5eddfd

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd dns 192.168.2.9 8.8.8.8

dhcpd domain laelaps.local

dhcpd auto_config outside vpnclient-wins-override

!

dhcpd address 192.168.2.16-192.168.2.29 inside

dhcpd dns 192.168.2.9 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 129.6.15.28 source outside

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1

ssl trust-point ASDM_TrustPoint0 outside

ssl trust-point ASDM_TrustPoint0 inside

webvpn

enable inside

enable outside

csd image disk0:/csd_3.6.6249-k9.pkg

anyconnect profiles New_laelaps_client_profile disk0:/New_laelaps_client_profile.xml

anyconnect profiles laelaps disk0:/laelaps.xml

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 192.168.2.9

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy GroupPolicy_New_laelaps internal

group-policy GroupPolicy_New_laelaps attributes

wins-server none

dns-server value 192.168.2.9

vpn-tunnel-protocol ikev2 ssl-client

default-domain value laelaps.local

webvpn

  anyconnect profiles value New_laelaps_client_profile type user

group-policy laelaps_anyconnect internal

group-policy laelaps_anyconnect attributes

banner value Unauthorized Access prohibited

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

group-lock value laelaps_Home

split-tunnel-network-list value Local_Lan_Access

address-pools value VPN

webvpn

  anyconnect profiles value laelaps type user

group-policy laelapsPolicy internal

group-policy laelapsPolicy attributes

wins-server none

dns-server value 192.168.2.9

vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

default-domain value laelaps.local

webvpn

  url-list value Home

  anyconnect profiles value laelaps type user

group-policy clientless-vpn internal

group-policy clientless-vpn attributes

vpn-tunnel-protocol ssl-clientless

webvpn

  url-list value Home

username password  encrypted privilege 15

username attributes

vpn-group-policy laelapsPolicy

username password encrypted privilege 0

username attributes

vpn-group-policy laelapsPolicy

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias Default enable

tunnel-group New_laelaps type remote-access

tunnel-group New_laelaps general-attributes

address-pool VPN

default-group-policy GroupPolicy_New_laelaps

tunnel-group New_laelaps webvpn-attributes

group-alias New_laelaps enable

tunnel-group laelaps_Home type remote-access

tunnel-group laelaps_Home general-attributes

address-pool VPN

default-group-policy laelapsPolicy

tunnel-group laelaps_Home webvpn-attributes

group-alias Laelaps enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

  inspect icmp

class class-default

  flow-export event-type all destination 192.168.2.5 192.168.2.15

!

service-policy global_policy global

smtp-server 192.168.2.9

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:2f888d9d4c342e7bbcb669f0c35ae815

: end

Everyone's tags (1)
6 REPLIES
Super Bronze

Deny IP Spoof on two internal addresses

Hi,

Is there any specific reason why you have configured 3 different routing protocols on the ASA? And you also have a Static route for the network.

You seem to have the Unicast RPF on the "outside" interface but this shouldnt generate the log message I guess?

What seems strange in the message is though that it mentions your ASA interface as the source.

Are you sure you have not misconfigured the actual router with wrong IP address (192.168.2.1) or something?

What does the ASA routing table say with "show route"?

- Jouni

New Member

Re: Deny IP Spoof on two internal addresses

I was trying to figure out the issue with the routing protocols. I read somewhere that the static route would fix the issue but it didnt. I didnt even realize that OSPF was running. I though I had disabled it.

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 24.99.108.1 to network 0.0.0.0

C    24.99.108.0 255.255.255.0 is directly connected, outside

C    192.168.2.0 255.255.255.0 is directly connected, inside

S    192.168.3.0 255.255.255.0 [1/0] via 192.168.2.50, inside

d*   0.0.0.0 0.0.0.0 [1/0] via 24.99.108.1, outside

Super Bronze

Deny IP Spoof on two internal addresses

Hi,

Well the routing table in its current form would seem pretty clear.

Whats the configurations on the router?

- Jouni

New Member

Deny IP Spoof on two internal addresses

Current configuration : 7226 bytes

!

! Last configuration change at 18:46:42 UTC Wed Aug 14 2013 by admin

version 15.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname laelaps

!

boot-start-marker

boot-end-marker

!

!

no logging console

!

no aaa new-model

memory-size iomem 10

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-682565691

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-682565691

revocation-check none

rsakeypair TP-self-signed-682565691

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-682565691

certificate self-signed 01

  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36383235 36353639 31301E17 0D313330 38313431 32343932

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3638 32353635

  36393130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  C6AF8D9F D93218BC B9CEE383 AF833DD4 4DCFF83A 78206322 0EA925D4 EDE70F42

  83BE4BF1 4808E97D 4512FDD8 BA58995B 76691930 7165083E DD45F240 0C046346

  6DE4F3F9 99EF43F6 57B36A36 56B8EAEC 6939B60D 3E67CCFD BA0B9BA9 EADBD607

  D93F375B AB6D7BA8 B0B0086B 5CF20D69 C2CAD17F C702AC10 C8951A8A 3C052F9B

  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

  23041830 16801408 9023A634 03C54CE0 5CFB7C6A 78ED6E77 E1D18E30 1D060355

  1D0E0416 04140890 23A63403 C54CE05C FB7C6A78 ED6E77E1 D18E300D 06092A86

  4886F70D 01010505 00038181 00305E3E 6E55F42E A8E7AA7E 3C8DA980 D6C8AAF5

  742BFE74 1A81230B 2A3B9130 9981E673 5D229964 EBD04642 AE9632C2 7589F67F

  6C307F43 0C22247A DD1A7885 17B59A2D 19A4AF5E 9E5A2AB6 C35F324A 16732CCE

  1C768650 47B80730 AAA98B6C 85A554AF 256C4055 6789FB38 AC26BBC3 F5E74B27

  EFDD639B 6A7D7536 C9D4B58A 9D

            quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

!

!

!

!

!

ip dhcp excluded-address 192.168.3.1 192.168.3.9

ip dhcp excluded-address 192.168.3.21 192.168.3.254

!

ip dhcp pool laelaps

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

dns-server 192.168.2.9 192.168.2.2

!

!

!

ip domain name laelaps2.local

ip name-server 192.168.2.9

ip name-server 192.168.2.2

ip ips config location flash: retries 1

ip ips notify SDEE

ip ips name sdm_ips_rule

!

ip ips signature-category

  category all

   retired true

  category ios_ips advanced

   retired false

!

ip cef

no ipv6 cef

ipv6 multicast rpf use-bgp

!

!        

multilink bundle-name authenticated

license udi pid CISCO881W-GN-A-K9 sn FTX1622847J

license boot module c880-data level advipservices

!

!

username admin privilege 15 password 7 0454190301151B4524

username dmccoy privilege 15 secret 4 CcTvzNzf8Sbm0xGL4d9GIyCNwEiqZodEO78LO3uzMOg

!

!

!

!

crypto key pubkey-chain rsa

named-key realm-cisco.pub

  key-string

   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16

   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128

   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E

   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35

   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85

   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36

   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE

   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3

   F3020301 0001

  quit

!

!

!

class-map type inspect match-all ccp-cls--1

match access-group name Allow_All_Out

class-map type inspect match-all ccp-cls--3

match access-group name All

class-map type inspect match-all ccp-cls--2

match access-group name All_ALL_IN

class-map type inspect match-all ccp-cls--4

match access-group name All_Self_Inside

!

policy-map type inspect ccp-policy-ccp-cls--4

class type inspect ccp-cls--4

  pass log

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--1

class type inspect ccp-cls--1

  pass log

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--2

class type inspect ccp-cls--2

  inspect

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--3

class type inspect ccp-cls--3

  pass log

class class-default

  drop

!

zone security Outside

zone security Inside

zone-pair security sdm-zp-Inside-Outside source Inside destination Outside

service-policy type inspect ccp-policy-ccp-cls--1

zone-pair security sdm-zp-Outside-Inside source Outside destination Inside

service-policy type inspect ccp-policy-ccp-cls--2

zone-pair security sdm-zp-self-Outside source self destination Outside

service-policy type inspect ccp-policy-ccp-cls--3

zone-pair security sdm-zp-self-Inside source self destination Inside

service-policy type inspect ccp-policy-ccp-cls--4

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

!

!

!

!

!

!

!

interface FastEthernet0

switchport mode trunk

no ip address

!        

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description $ETH-WAN$

ip address 192.168.2.50 255.255.255.0

ip ips sdm_ips_rule in

ip virtual-reassembly in

zone-member security Outside

duplex auto

speed auto

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

ip address 192.168.3.1 255.255.255.0

ip ips sdm_ips_rule out

ip virtual-reassembly in

zone-member security Inside

!

!

router eigrp 10

network 192.168.2.0

network 192.168.3.0

passive-interface Wlan-GigabitEthernet0

passive-interface wlan-ap0

!

ip default-gateway 192.168.2.1

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 192.168.2.1

ip route 192.168.2.0 255.255.255.0 192.168.2.1

!

ip access-list extended All

remark CCP_ACL Category=128

permit ip any any

ip access-list extended All_ALL_IN

remark CCP_ACL Category=128

permit ip any any

ip access-list extended All_Self_Inside

remark CCP_ACL Category=128

permit ip any any

ip access-list extended Allow_All_Out

remark CCP_ACL Category=128

permit ip any any

!

logging host 192.168.2.5

!

access-list 10 remark NAT ACL

access-list 10 remark CCP_ACL Category=2

access-list 10 remark Internal Network

access-list 10 permit 192.168.3.0 0.0.0.255 log

!

control-plane

!

!

!

line con 0

login local

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

login local

transport input telnet ssh

!

!

end

New Member

Deny IP Spoof on two internal addresses

I figured out one piece. When I switched from wireless to a wired port I was able to communicate with any address on the 192.168.2.0 network. Is there something that the WLAN is doing to the packet that would cause it to appear as an spoofed address?

Super Bronze

Deny IP Spoof on two internal addresses

Hi,

What is this route on the Router?

ip route 192.168.2.0 255.255.255.0 192.168.2.1

It doesnt make sense to have a route for connected network pointing to some IP address that belongs to that network.

You should not need this route. Only the default route pointing traffic to the ASA.

- Jouni

3443
Views
0
Helpful
6
Replies
CreatePlease login to create content