Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny IP Spoofing - ASA

Hi all,

Currently i am running a Cisco ASA v8.0 IOS w/ UR license.

I have a web server running behind the ASA (In the DMZ network) and an inside network (with access to the internet).

I do run a host -monitoring software which polls the corporate website on my company.

However recently, i noticed that the PCs within the inside network are not able to access the corporate website.

Upon checking up the logs, this is what i get :

Deny IP spoof from (203.X.X.X) to 58.X.X.X on interface outside

The 203.X.X.X is my legitimate WAN address for those in the inside network where as 58.X.X.X would refer to the WAN IP for the corp web.

This is affecting me from monitoring the status of my corp web.

Other users with other IPs are able to view my website with no issues. Is there any way i can stop the ASA from denying the legitimate IP?

It worked fine previously but it started having problems ever since i tried to implement a web application firewall.

I have since removed the web app firewall and rolled - backed to the previous network configuration, but starting having this problem ever since then.

Your help is very much appreciated!

Thanks!

2 REPLIES

Re: Deny IP Spoofing - ASA

It seems the packets from the subnet 203.X.X.X are not coming to the correct interface on the ASA.

The route for the subnet 203.X.X.X on the ASA is on some other interface.

New Member

Re: Deny IP Spoofing - ASA

use this command in your configuration...

" ip verify reverse-path interface outside "

This command help to prevent ip spoofing attacks arising from the outside interface.

1010
Views
0
Helpful
2
Replies