Hey, I'm working on a problem where all necessary communication *seems* to be happening, but we're seeing regular errors logged that look like this (Public IP addresses have been changed from the real ones):
Aug 13 2012 14:43:08: %ASA-2-106016: Deny IP spoof from (18.104.22.168) to 22.214.171.124 on interface outside
It's an ASA5520 failover pair, running 8.2(1).
Outside Int: 126.96.36.199 /30
DMZ Int: 10.11.11.1 /24
Inside Int: 192.168.168.1 /22
On the outside are two VPN subnets (VPNs are terminating on the ASA), 10.14.14.0 /24 and 10.15.15.0 /24.
Below is the current NAT config. What I'd noticed was missing initially were the nat (dmz) 0 and nat (outside) 0 parts of the config. Those have been added. (And yes, I know there are some un-needed config commands---I'm not able to remove things right now unless it's absolutely necessary---cleanup has to wait.)
Please find the below explaination and workaround for tht log code.
%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on
This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:
Loopback network (127.0.0.0)
Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
The destination host (land.c)
In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.
Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
This comes because of the spoofing packet sent to the public ip of your DMZ zone server. You have to deny the icmp packet originating from the outside network other than the trusted network. Or you could have some misconfiguration in your configuration which leads to this log. If you set a deny rule for outside interfaces ACL for icmp would solve this issue.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...