Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX: Spurious Deny IP spoof messages for traffic to outside interface

Hello

Our PIX seems to have gone into a state where it rejects traffic to the outside interface with:

Aug 31 09:28:02 pix %PIX-2-106016: Deny IP spoof from (foo) to aaa.bbb.ccc.ddd on interface outside

Where foo in this case is a host on the same subnet as the outside interface pinging the outside interface address aaa.bbb.ccc.ddd for testing purposes. We've noticed this because people using Remote Access VPN were not able to connect.

We don't actually have anti-spoofing enabled and the configuration shows no changes (confirmed using RANCID).

I've tried enabling and then disabling anti-spoofing but this has had no effect.

All I can think of is that this is a PIX bug and the previous occasion when this happened about a month we had to reload.

Anything other ideas before I try and open a case with TAC and just reload it again?

This is PIXOS 7.2(1) running on a PIX 525.

1 REPLY
Silver

Re: PIX: Spurious Deny IP spoof messages for traffic to outside

This message is logged when the PIX Firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:

Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host

Furthermore, if the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the PIX Firewall and logs this message.

To further enhance spoof packet detection, use the conduit command to configure the PIX Firewall to discard packets with source addresses belonging to the internal network.

To resolve this Determine if an external user is trying to compromise the protected network. Check for misconfigured clients

479
Views
0
Helpful
1
Replies
CreatePlease to create content