topic Have you allowed the VPN pool in Network Security

anyconnect behavior

Benjamin Saito — Tue, 12 Mar 2019 05:12:26 GMT

I have a strange issue that I cannot seem to figure out. We have a customer that has 2 different ASA's for 2 different environments. We have a vpn tunnel set up so that when they connect to the anyconnect client via Firewall-A, the traffic can hairpin over the tunnel and access the servers behind firewall-B. That is working fine, but the problem is when we try to access the ASDM via the inside ip address over the ssl vpn on Firewall-A we get this message:

Deny IP spoof from (10.200.0.6) to 10.0.193.1 on interface outside

We can access the ASDM on Firewall-B, but not on Firewall-A. I do not know why the ASA thinks this is a spoofing attack. Can someone shed some light on this for me? Thanks in advanced!

I'm not quite envisioning the

Marvin Rhoads — Thu, 11 Dec 2014 00:25:22 GMT

I'm not quite envisioning the setup. Can you give us a simple diagram?

I attached a simple diagram

Benjamin Saito — Thu, 11 Dec 2014 15:51:27 GMT

I attached a simple diagram hopefully explaining it a little better. While connected to the ssl vpn on Firewall A, they are able to access all the servers behind Firewall A and Firewall B, can access the asdm on Firewall B, but cannot access the ASDM on Firewall A, that's when I see the spoofing messages in the logs. Let me know if this makes sense now. Thanks!

From Cisco documentation:If

Ryan S — Thu, 11 Dec 2014 17:07:03 GMT

From Cisco documentation:

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the ASA drops the packet because the matching route (the default route) indicates the outside interface.

I'm not sure how you could prevent the ASA from having this error short of disabling Anti-Spoofing on the outside interface.

Hi Ryan,Thanks for the

Benjamin Saito — Thu, 11 Dec 2014 17:18:10 GMT

Hi Ryan,

Thanks for the comment. We are not able to pull up the asdm (which is access by using the inisde interface's ip address), but we can still access servers that are on the same network. For example, we can ping x.x.x.2 and x.x.x.3, but cannot access the asdm on https://x.x.x.1/admin and cannot ping it either. If what you said was true, wouldn't all traffic going to the inside interface be dropped? Sorry if I misunderstood your explanation.

Have you allowed the VPN pool

Marvin Rhoads — Thu, 11 Dec 2014 18:29:58 GMT

Have you allowed the VPN pool in the http commands that permit ASDM management?

e.g.:

http <pool subnet and mask> inside

...on firewall A.

Yes, that has been configured

Benjamin Saito — Thu, 11 Dec 2014 20:15:43 GMT

Yes, that has been configured.