09-08-2010 12:23 AM - edited 03-11-2019 11:36 AM
Hi Dudes,
Iam getting IP Spoof attack in my CISCO ASA Firewall. Though it's denying I want more dig into this.can anyone help me.
is there any way to discard this logs.
Note : I have already enable IP reverse path command to protect.
Please ref the logs
Deny IP Spoof from (10.111.10.1) to (10.99.100.1) on interface inside
10.111.10.1 - FW LAN face ip
10.99.100.1 - Syslog server IP
Thanks,
limat
09-08-2010 12:32 AM
Hi,
Is the IP address 10.111.10.1 the IP address of the "inside" interface of the ASA? The ASA is receving a packet on the inside interface with a source IP which is it's own and the destination IP is that of the syslog server 10.99.100.1. Could you paste the output of "show route" and "show int ip brief" from the ASA?
Is the ASA sending syslogs to 10.99.100.1? If so, is it connected to the "inside" interface of the ASA? If so, it seems like the there is some kind of a routing loop in the network! The device directly connected to the ASA on the "inside" interface is sending this packet back to the ASA for some reason. Please have a look the device connected to the ASA on the inside interface.
Hope this helps!!
Thanks and Regards,
Prapanch
09-09-2010 02:34 AM
Hi Prapanch,
Thanks for you reply,
Yes u correct, The IP Address : 10.111.10.1 is my ASA inside interface.
but the syslogs is not directly connected in my ASA.. It's located in Mumbai.
All my devices are synd with syslog server.
Pls advice..
Thanks,
limat
09-08-2010 01:58 PM
Which is the log numbeer. Did you upgrade to version 8.3 ?
09-09-2010 02:40 AM
Hi,
Iam getting the message id : 106016.
Currently I have the below verions
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Please advice..
09-09-2010 06:56 AM
Hey,
Well as i said previously my guess is that The device directly connected to the ASA on the "inside" interface is sending this packet back to the ASA for some reason. Please apply captures on the ASA from the ASA to the syslogs server and vice versa on the inside interface as i had said.
https://supportforums.cisco.com/docs/DOC-1222
What is the device that is directly connected to the ASA on the inside interface, that is, in between the ASA and the syslog server. Can you get the routing table of that device and paste it here?
Regards,
Prapanch
09-09-2010 07:06 AM
Hello,
Is the syslog server connected through a VPN tunnel? If it is, most likely
the next hop device is sending the packets back at the firewall (default
gateway points to firewall) without encrypting the data. Common reasons
would be a break in the tunnel or other routing issues. Please check to see
if the VPN tunnel/Routing is working as expected when you see these
messages.
Hope this helps.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: