Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IP spoof

Hi,

I get the critical alert.

Deny IP spoof from (192.168.97.16) to virtual_plc on interface outside

Which I understand because both addresses are on the same subnet, yet on different interfaces.

However I would like them to communicate, how do I do that please?

I have attached a drawing of the network.

We VPN into our customer's site, where the VPN server gives us the 192.168.97.x address.

The customer's network is 151.133.100.x where our router is at 151.133.100.80.

We static NAT 151.133.100.81 and 151.133.100.81 thru to 192.168.100.180 and 192.168.100.184 respectively.

Our router is an ASA5505

Thanks in advance.

John

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: IP spoof

Ah ha, you have no default route defined.

route outside 0.0.0.0 0.0.0.0 x.x.x.x

x.x.x.x = inside ip of the other ASA that you are vpn'ing into.

11 REPLIES
Green

Re: IP spoof

Which firewall in the diagram are you vpn'ing to?

New Member

Re: IP spoof

The first one - NOT the ASA5505 on the slicer

Green

Re: IP spoof

What is the subnet mask of the slicer inside network? You could try to disable it with

no ip verify reverse-path interface outside

New Member

Re: IP spoof

The Inside subnet mask is 255.255.255.0

I will try this when I get to work tomorrow.

Thanks

New Member

Re: IP spoof

I added the - no ip verify reverse-path interface outside

Now though, I get the error

Failed to locate egress interface for TCP from outside:192.168.97.x

How do I get back from the slicer network to the VPN's?

Green

Re: IP spoof

Could you post the config from your ASA?

New Member

Re: IP spoof

Here is the conf file

Green

Re: IP spoof

Ah ha, you have no default route defined.

route outside 0.0.0.0 0.0.0.0 x.x.x.x

x.x.x.x = inside ip of the other ASA that you are vpn'ing into.

New Member

Re: IP spoof

Thank you for your help, I am now back at home - I shall try that first thing in the morning.

John.

New Member

Re: IP spoof

Thank you acomiskey.

Adding route outside 0.0.0.0 0.0.0.0 x.x.x.x resolved the issue.

However, supposedly it brought down the customers network, does this sound possible?

John.

New Member

Re: IP spoof

could it be multicast-routing, it was not enabled yesterday?

382
Views
0
Helpful
11
Replies
CreatePlease to create content