https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340296#M343767 <HTML><HEAD></HEAD><BODY><P>You got it <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN>.</P><P></P><P>It's always good to add more security to your Firewalls so RPF is a good deal.</P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking">http://laguiadelnetworking</A><SPAN>. </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Sun, 01 Sep 2013 07:38:46 GMT Julio Carvajal 2013-09-01T07:38:46Z https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340292#M343738 <P>I got the following,</P><P>Deny IP spoof from (0.1.0.4) to 10.1.1.101 on interface intranet</P><P></P><P>Traffic has correctly been denied but ip verify reverse-path is not configured on intranet interface to prevent ip spoofing. So, how did the ASA denied ip spoofing ? does it means unicast RPF is not necessary ?</P><P></P><P>Thank you</P> Tue, 12 Mar 2019 02:32:21 GMT https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340292#M343738 giuseppe parlato 2019-03-12T02:32:21Z https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340293#M343746 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>This is not related to the RPF Check per se;</P><PRE style="font-size: 11px; overflow: auto; max-width: 650px; min-width: 400px; height: auto; color: #000000;"> %PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.</PRE><P></P><P></P><OL style="color: #000000; font-size: 12px;" type="1"><LI>This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address: <UL><LI>Loopback network (127.0.0.0)</LI><LI>Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)</LI><LI>The destination host (land.c)</LI></UL>In order to further enhance spoof packet detection, use the <STRONG>icmp</STRONG> command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the <STRONG>access-list</STRONG> command has been deprecated and is no longer guaranteed to work correctly.<STRONG>Recommended Action:</STRONG> Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.</LI><LI><PRE style="font-size: 11px; overflow: auto; max-width: 650px; min-width: 400px; height: auto;"><BR /></PRE></LI></OL><P></P><P></P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking">http://laguiadelnetworking</A><SPAN>. </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segur</P></BODY></HTML> Thu, 29 Aug 2013 22:40:04 GMT https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340293#M343746 Julio Carvajal 2013-08-29T22:40:04Z https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340294#M343755 <HTML><HEAD></HEAD><BODY><P>Correctly I would have had a different message for ip spoofing with RPF. Is RPF still adviced to be configured ?</P></BODY></HTML> Fri, 30 Aug 2013 07:07:56 GMT https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340294#M343755 giuseppe parlato 2013-08-30T07:07:56Z https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340295#M343762 <HTML><HEAD></HEAD><BODY><P>Let me add..</P><P></P><P>1. couldn't find explenation for,</P><P></P><P><EM>In order to further enhance spoof packet detection, use the <STRONG>icmp </STRONG>command to configure the security appliance to discard packets with&nbsp; source addresses belonging to the internal network. This is because the <STRONG>access-list </STRONG>command has been deprecated and is no longer guaranteed to work correctly.</EM></P><P> <STRONG> </STRONG></P><P>2. 106016 log message is related to a check which is not configurable right ?</P><P></P><P>Thank you</P></BODY></HTML> Fri, 30 Aug 2013 07:18:58 GMT https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340295#M343762 giuseppe parlato 2013-08-30T07:18:58Z https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340296#M343767 <HTML><HEAD></HEAD><BODY><P>You got it <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN>.</P><P></P><P>It's always good to add more security to your Firewalls so RPF is a good deal.</P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking">http://laguiadelnetworking</A><SPAN>. </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Sun, 01 Sep 2013 07:38:46 GMT https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340296#M343767 Julio Carvajal 2013-09-01T07:38:46Z https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340297#M343774 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>1) That means that you can configure the ASA to deny ICMP packets (using the ICMP syntax) comming on the outside interface from source IP addresses from the internal side (as this is certanly never expected).</P><P></P><P>2)Exactly, </P><P></P><P><STRONG>Hey my man! Remember to rate all of my answers. We are helping for free and some kudos are really appreciated</STRONG></P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking">http://laguiadelnetworking</A><SPAN>. </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Sun, 01 Sep 2013 07:41:18 GMT https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340297#M343774 Julio Carvajal 2013-09-01T07:41:18Z https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340298#M343778 <HTML><HEAD></HEAD><BODY><P>Thanks a lot</P></BODY></HTML> Mon, 02 Sep 2013 15:03:18 GMT https://community.cisco.com/t5/network-security/ip-spoof-question-cisco-asa/m-p/2340298#M343778 giuseppe parlato 2013-09-02T15:03:18Z