cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5032
Views
0
Helpful
6
Replies

IP Spoof Attack in CISCO ASA

Hi Dudes,

Iam getting IP Spoof attack in my CISCO ASA Firewall. Though it's denying I want more dig into this.can anyone help me.

is there any way to discard this logs.

Note : I have already enable IP reverse path command to protect.

Please ref the logs

Deny IP Spoof from (10.111.10.1) to (10.99.100.1) on interface inside

10.111.10.1 - FW LAN face ip

10.99.100.1 - Syslog server IP

Thanks,

limat

6 Replies 6

praprama
Cisco Employee
Cisco Employee

Hi,

Is the IP address 10.111.10.1 the IP address of the "inside" interface of the ASA? The ASA is receving a packet on the inside interface with a source IP which is it's own and the destination IP is that of the syslog server 10.99.100.1. Could you paste the output of "show route" and "show int ip brief" from the ASA?

Is the ASA sending syslogs to 10.99.100.1? If so, is it connected to the "inside" interface of the ASA? If so, it seems like the there is some kind of a routing loop in the network! The device directly connected to the ASA on the "inside" interface is sending this packet back to the ASA for some reason. Please have a look the device connected to the ASA on the inside interface.

Hope this helps!!

Thanks and Regards,

Prapanch

Hi Prapanch,

Thanks for you reply,

Yes u correct, The IP Address : 10.111.10.1 is my ASA inside interface.

but the syslogs is not directly connected in my ASA.. It's located in Mumbai.

All my devices are synd with syslog server.

Pls advice..

Thanks,

limat

Which is the log numbeer. Did you upgrade to version 8.3 ?

Hi,

Iam getting the message id : 106016.

Currently I have the below verions

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Please advice..

Hey,

Well as i said previously my guess is that The device directly connected to the  ASA on the "inside" interface is sending this packet back to the ASA  for some reason. Please apply captures on the ASA from the ASA to the syslogs server and vice versa on the inside interface as i had said.

https://supportforums.cisco.com/docs/DOC-1222

What is the device that is directly connected to the ASA on the inside interface, that is, in between the ASA and the syslog server. Can you get the routing table of that device and paste it here?

Regards,

Prapanch

Hello,

Is the syslog server connected through a VPN tunnel? If it is, most likely

the next hop device is sending the packets back at the firewall (default

gateway points to firewall) without encrypting the data. Common reasons

would be a break in the tunnel or other routing issues. Please check to see

if the VPN tunnel/Routing is working as expected when you see these

messages.

Hope this helps.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: