topic Deny IP spoof on interface inside in Network Security

Deny IP spoof on interface inside

Sergey Drugov — Mon, 11 Mar 2019 23:20:30 GMT

Hello,

I'm trying to attach tacacs server (ACS Version 5.2) in server group on ASA 5520 (Version 8.4). When I test connection in ASDM (Version 6.4) between ASA and ACS it fails. The log message on ASA is:

%ASA-2-106016: Deny IP spoof from (10.8.27.126) to 10.8.48.10 on interface inside.

Packet-tracer from ASA is:

InternetASA# packet-tracer input inside tcp 10.8.27.126 4444 10.8.48.10 49

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.8.48.0 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

What access-list or implicit rule may be the reason of denying these packets?

Re: Deny IP spoof on interface inside

Karsten Iwen — Mon, 18 Jun 2012 23:59:23 GMT

Hi,

for this setup the Interrface-ACLs are not relevant as they are only for through-traffic.

probably your tacacs-config is broken. Which is your TACACS-Server-address?

And provide some output:

- show run aaa-server

- show run route

- show interface ip brief

regards, Karsten

Sent from Cisco Technical Support iPad App

Deny IP spoof on interface inside

Sergey Drugov — Tue, 19 Jun 2012 08:29:15 GMT

Hello Karsten,

1. TACACS-Server-address is 10.8.48.10

2. show run aaa-server:

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 10.8.48.10

key *****

3. show run route

InternetASA# sh run route

route outside 0.0.0.0 0.0.0.0 83.220.35.113 1

InternetASA# sh route | i 10.8.48.

D 10.8.48.0 255.255.255.0 [90/3072] via 10.8.27.1, 521:52:24, inside

InternetASA#

4. show interface ip brief

InternetASA# sh int ip brie

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES unset up up

GigabitEthernet0/0.127 10.8.27.126 YES CONFIG up up

GigabitEthernet0/2 10.10.27.129 YES unset up up

GigabitEthernet0/3 83.220.35.125 YES CONFIG up up