Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Question on IP spoof

Hi,

Sometimes I get these messages in the log of our PIX525.

106016: Deny IP spoof from (127.0.0.100) to 10.10.19.90 on interface outside

106016: Deny IP spoof from (127.0.0.100) to 10.10.17.184 on interface outside

106016: Deny IP spoof from (127.0.0.100) to 10.10.17.184 on interface outside

These IP addresses are on the inside interface of the firewall. What exactly are the messages conveying?

Thanks.

1 REPLY
Cisco Employee

Re: Question on IP spoof

Message details are here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#1022675

Basically the PIX will automatically deny packets from invalid source addresses, of which 127.0.0.100 is certainly one. The PIX is doing it's job and protecting your internal hosts.

If you really want to see what these packets are then you'd have to put a Sniffer on the outside segment and capture them. It may be legitimate traffic from an outside mis-configured host, but most likely it's something bogus. It's probably coming from something directly connected on the outside interface though, cause the 10.x.x.x addresses wouldn't be routed from your ISP to you.

109
Views
0
Helpful
1
Replies
CreatePlease to create content