Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Spoofing message AS 5520

We use our ASA as a VPN concentrator and I am seeing a ton of messages that read

Deny IP spoof from ( to 10.x.2.91 on interface UntrustedDMZ

The 10.x.x.x address is a user on the vpn logged in from a hotel. he tells me that he only has outlook open at this point. Any idea what might be causing this message. Ciscoworks reports over 1200 messages already today from this one user.



Re: Spoofing message AS 5520

First is not internet routable so it could be anything in your DMZ, you will need to use packet capture to track the source MAC address of that is comming from your untrustedDMZ network.

asafw(config)#access-list incap permit ip host host 10.x.2.91

asafw(config)#access-list incap permit ip host 10.x.2.91 host

asafw(config)#capture incap access-list incap packet-length 1500 interface UntrustedDMZ

asafw#show capture incap detail

the show capture should provide MAC address information from, save the output of show capture detail and note the MAC for

then track mac address

asafw#show arp | inc ( should privide with mac address and location on the untrustedDMZ )

Once you collect information

remove incap acl

no access-list incap permit ip host host 10.x.2.91

no access-list incap permit ip host 10.x.2.91 host

and disable capture

no capture incap

here is also some good resource

Let us know what you have found.



CreatePlease to create content