Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Deny IP spoof

I’m getting this deny in my FW logs:

Deny IP spoof from (127.0.0.xx) to xx.xxx.xxx.xxx on interface inside.

I’ve just started to see them, what can cause this?

Thanks,

Paul Lane

4 REPLIES
Gold

Re: Deny IP spoof

Hi Paul,

This explanation might help you let me know if you need further help:

Error Message

%PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.

Explanation

This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:

Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

Furthermore, if the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.

To further enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network.

Recommended Action:

Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

Regards - Jay.

New Member

Re: Deny IP spoof

Jay,

Thank you for your reply. It looks like the FW is discarding the packet because it's using 127.0.0.88 as the source IP address.

How do I know if the sysopt connection enforcesubnet command is enabled?

Also what should I look for to determine if an external user is trying to compromise the protected network?

Thanks,

Paul Lane

Gold

Re: Deny IP spoof

Paul,

Check your PIX config and see if you have command:

> sysopt connection enforcesubnet

If do have the above command you can disable this by issuing command no sysopt connection enforcesubnet in config mode on PIX.

For your 2nd question, see if the packet is arriving from the same source constantly and setup syslog for your PIX also, check for mis-configuration of inside clients.

Let me know how you get on.

Jay.

New Member

Re: Deny IP spoof

What version of the FOS has "sysopt connection enforcesubnet" ?

How does this differ from the ip verify reverse-path interface command?

Thanks

620
Views
0
Helpful
4
Replies
CreatePlease to create content