Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14736
Views
1
Helpful
6
Replies

IP spoof question cisco ASA

Go to solution
giuseppe parlato
Level 1
Level 1

‎08-29-2013 07:34 AM - edited ‎03-11-2019 07:32 PM

I got the following,

Deny IP spoof from (0.1.0.4) to 10.1.1.101 on interface intranet

Traffic has correctly been denied but ip verify reverse-path is not configured on intranet interface to prevent ip spoofing. So, how did the ASA denied ip spoofing ? does it means unicast RPF is not necessary ?

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to giuseppe parlato

‎09-01-2013 12:41 AM

Hello,

1) That means that you can configure the ASA to deny ICMP packets (using the ICMP syntax) comming on the outside interface from source IP addresses from the internal side (as this is certanly never expected).

2)Exactly,

Hey my man! Remember to rate all of my answers. We are helping for free and some kudos are really appreciated

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-29-2013 03:40 PM

Hello,

This is not related to the RPF Check per se;

%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on 
interface interface_name.

  1. This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:
    • Loopback network (127.0.0.0)
    • Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
    • The destination host (land.c)
    In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segur

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Julio Carvajal

‎08-30-2013 12:07 AM

Correctly I would have had a different message for ip spoofing with RPF. Is RPF still adviced to be configured ?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to giuseppe parlato

‎09-01-2013 12:38 AM

You got it .

It's always good to add more security to your Firewalls so RPF is a good deal.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Julio Carvajal

‎08-30-2013 12:18 AM

Let me add..

1. couldn't find explenation for,

In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with  source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.

2. 106016 log message is related to a check which is not configurable right ?

Thank you

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to giuseppe parlato

‎09-01-2013 12:41 AM

Hello,

1) That means that you can configure the ASA to deny ICMP packets (using the ICMP syntax) comming on the outside interface from source IP addresses from the internal side (as this is certanly never expected).

2)Exactly,

Hey my man! Remember to rate all of my answers. We are helping for free and some kudos are really appreciated

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Julio Carvajal

‎09-02-2013 08:03 AM

Thanks a lot

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card