Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2306
Views
0
Helpful
2
Replies

Deny IP Spoofing - ASA

jag_lin84
Level 1
Level 1

‎10-06-2009 08:15 PM - edited ‎03-11-2019 09:23 AM

Hi all,

Currently i am running a Cisco ASA v8.0 IOS w/ UR license.

I have a web server running behind the ASA (In the DMZ network) and an inside network (with access to the internet).

I do run a host -monitoring software which polls the corporate website on my company.

However recently, i noticed that the PCs within the inside network are not able to access the corporate website.

Upon checking up the logs, this is what i get :

Deny IP spoof from (203.X.X.X) to 58.X.X.X on interface outside

The 203.X.X.X is my legitimate WAN address for those in the inside network where as 58.X.X.X would refer to the WAN IP for the corp web.

This is affecting me from monitoring the status of my corp web.

Other users with other IPs are able to view my website with no issues. Is there any way i can stop the ASA from denying the legitimate IP?

It worked fine previously but it started having problems ever since i tried to implement a web application firewall.

I have since removed the web app firewall and rolled - backed to the previous network configuration, but starting having this problem ever since then.

Your help is very much appreciated!

Thanks!

Labels:
0 Helpful
2 Replies 2

dhananjoy chowdhury
Level 5
Level 5

‎10-07-2009 12:12 AM

It seems the packets from the subnet 203.X.X.X are not coming to the correct interface on the ASA.

The route for the subnet 203.X.X.X on the ASA is on some other interface.

0 Helpful

uzair syed naveed
Level 1
Level 1

‎10-07-2009 03:26 AM

use this command in your configuration...

" ip verify reverse-path interface outside "

This command help to prevent ip spoofing attacks arising from the outside interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card