Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP spoof question cisco ASA

I got the following,

Deny IP spoof from (0.1.0.4) to 10.1.1.101 on interface intranet

Traffic has correctly been denied but ip verify reverse-path is not configured on intranet interface to prevent ip spoofing. So, how did the ASA denied ip spoofing ? does it means unicast RPF is not necessary ?

Thank you

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions

IP spoof question cisco ASA

Hello,

1) That means that you can configure the ASA to deny ICMP packets (using the ICMP syntax) comming on the outside interface from source IP addresses from the internal side (as this is certanly never expected).

2)Exactly,

Hey my man! Remember to rate all of my answers. We are helping for free and some kudos are really appreciated

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
6 REPLIES

IP spoof question cisco ASA

Hello,

This is not related to the RPF Check per se;

%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on 
interface interface_name.

  1. This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:
    • Loopback network (127.0.0.0)
    • Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
    • The destination host (land.c)
    In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segur

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

IP spoof question cisco ASA

Correctly I would have had a different message for ip spoofing with RPF. Is RPF still adviced to be configured ?

IP spoof question cisco ASA

You got it .

It's always good to add more security to your Firewalls so RPF is a good deal.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

IP spoof question cisco ASA

Let me add..

1. couldn't find explenation for,

In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with  source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.

2. 106016 log message is related to a check which is not configurable right ?

Thank you

IP spoof question cisco ASA

Hello,

1) That means that you can configure the ASA to deny ICMP packets (using the ICMP syntax) comming on the outside interface from source IP addresses from the internal side (as this is certanly never expected).

2)Exactly,

Hey my man! Remember to rate all of my answers. We are helping for free and some kudos are really appreciated

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

IP spoof question cisco ASA

Thanks a lot

3950
Views
0
Helpful
6
Replies
This widget could not be displayed.