Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
4
Replies

Deny IP spoof

Paul.Lane
Level 1
Level 1

‎01-06-2004 08:47 AM - edited ‎03-09-2019 06:02 AM

I’m getting this deny in my FW logs:

Deny IP spoof from (127.0.0.xx) to xx.xxx.xxx.xxx on interface inside.

I’ve just started to see them, what can cause this?

Thanks,

Paul Lane

Labels:
0 Helpful
4 Replies 4

jmia
Level 7
Level 7

‎01-06-2004 08:53 AM

Hi Paul,

This explanation might help you let me know if you need further help:

Error Message

%PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.

Explanation

This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:

Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

Furthermore, if the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.

To further enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network.

Recommended Action:

Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

Regards - Jay.

0 Helpful

Paul.Lane
Level 1
Level 1
In response to jmia

‎01-06-2004 09:16 AM

Jay,

Thank you for your reply. It looks like the FW is discarding the packet because it's using 127.0.0.88 as the source IP address.

How do I know if the sysopt connection enforcesubnet command is enabled?

Also what should I look for to determine if an external user is trying to compromise the protected network?

Thanks,

Paul Lane

0 Helpful

jmia
Level 7
Level 7
In response to Paul.Lane

‎01-06-2004 09:31 AM

Paul,

Check your PIX config and see if you have command:

> sysopt connection enforcesubnet

If do have the above command you can disable this by issuing command no sysopt connection enforcesubnet in config mode on PIX.

For your 2nd question, see if the packet is arriving from the same source constantly and setup syslog for your PIX also, check for mis-configuration of inside clients.

Let me know how you get on.

Jay.

0 Helpful

bfl1
Level 1
Level 1
In response to jmia

‎01-06-2004 10:43 AM

What version of the FOS has "sysopt connection enforcesubnet" ?

How does this differ from the ip verify reverse-path interface command?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents