Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Question realted to anti-spoofing feature on PIX

1) Is there any anti-spoofing feature on PIX firewall ?

2) If implemented, how are they implemented ? Is it implemented by default ? And how do you control the anti-spoofing rules ?

3) If implemented, are they implemented at layer 1 or layer 2 or only at layer 3 (ie RPF, CBAC and access-list) ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Question realted to anti-spoofing feature on PIX

Hi, let me give these a shot:

1) The only anti-spoofing that the PIX provides short of configuring access-lists to block the RFC 1812 addresses, inside addresses, bogon networks, etc. is configuring unicast reverse-path. Take a look here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1053009

2) RPF is not implemented by default. You need to configure this if wanted.

3) Layer 3 only.

Hope this helps.

Scott

3 REPLIES

Re: Question realted to anti-spoofing feature on PIX

Hi, let me give these a shot:

1) The only anti-spoofing that the PIX provides short of configuring access-lists to block the RFC 1812 addresses, inside addresses, bogon networks, etc. is configuring unicast reverse-path. Take a look here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1053009

2) RPF is not implemented by default. You need to configure this if wanted.

3) Layer 3 only.

Hope this helps.

Scott

New Member

Re: Question realted to anti-spoofing feature on PIX

I installed swatch for my PIX logs and started noticing about 20 of these type messages per day:

Dec 5 08:36:55 pix.xxx.xxx.xxxx.us Dec 05 2003 08:36:55: %PIX-2-106016: Deny IP spoof from (0.174.158.235) to 204.xx.xx.xx on interface outside

Does anybody have any idea what these are?

New Member

Re: Question realted to anti-spoofing feature on PIX

From PIX Syslog Messages..

+++++++++++

Error Message %PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.

Explanation This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:

Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

Furthermore, if the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.

To further enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network.

Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

211
Views
0
Helpful
3
Replies
CreatePlease to create content