Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IP Spoof Attack in CISCO ASA

Hi Dudes,

Iam getting IP Spoof attack in my CISCO ASA Firewall. Though it's denying I want more dig into this.can anyone help me.

is there any way to discard this logs.

Note : I have already enable IP reverse path command to protect.

Please ref the logs

Deny IP Spoof from (10.111.10.1) to (10.99.100.1) on interface inside

10.111.10.1 - FW LAN face ip

10.99.100.1 - Syslog server IP

Thanks,

limat

6 REPLIES
Cisco Employee

Re: IP Spoof Attack in CISCO ASA

Hi,

Is the IP address 10.111.10.1 the IP address of the "inside" interface of the ASA? The ASA is receving a packet on the inside interface with a source IP which is it's own and the destination IP is that of the syslog server 10.99.100.1. Could you paste the output of "show route" and "show int ip brief" from the ASA?

Is the ASA sending syslogs to 10.99.100.1? If so, is it connected to the "inside" interface of the ASA? If so, it seems like the there is some kind of a routing loop in the network! The device directly connected to the ASA on the "inside" interface is sending this packet back to the ASA for some reason. Please have a look the device connected to the ASA on the inside interface.

Hope this helps!!

Thanks and Regards,

Prapanch

Community Member

Re: IP Spoof Attack in CISCO ASA

Hi Prapanch,

Thanks for you reply,

Yes u correct, The IP Address : 10.111.10.1 is my ASA inside interface.

but the syslogs is not directly connected in my ASA.. It's located in Mumbai.

All my devices are synd with syslog server.

Pls advice..

Thanks,

limat

Re: IP Spoof Attack in CISCO ASA

Which is the log numbeer. Did you upgrade to version 8.3 ?

Community Member

Re: IP Spoof Attack in CISCO ASA

Hi,

Iam getting the message id : 106016.

Currently I have the below verions

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Please advice..

Cisco Employee

Re: IP Spoof Attack in CISCO ASA

Hey,

Well as i said previously my guess is that The device directly connected to the  ASA on the "inside" interface is sending this packet back to the ASA  for some reason. Please apply captures on the ASA from the ASA to the syslogs server and vice versa on the inside interface as i had said.

https://supportforums.cisco.com/docs/DOC-1222

What is the device that is directly connected to the ASA on the inside interface, that is, in between the ASA and the syslog server. Can you get the routing table of that device and paste it here?

Regards,

Prapanch

Cisco Employee

Re: IP Spoof Attack in CISCO ASA

Hello,

Is the syslog server connected through a VPN tunnel? If it is, most likely

the next hop device is sending the packets back at the firewall (default

gateway points to firewall) without encrypting the data. Common reasons

would be a break in the tunnel or other routing issues. Please check to see

if the VPN tunnel/Routing is working as expected when you see these

messages.

Hope this helps.

Regards,

NT

2510
Views
0
Helpful
6
Replies
CreatePlease to create content