topic Re: IP Spoof Attack in CISCO ASA in Network Security

IP Spoof Attack in CISCO ASA

tamilvanan.saravanan — Mon, 11 Mar 2019 18:36:45 GMT

Hi Dudes,

Iam getting IP Spoof attack in my CISCO ASA Firewall. Though it's denying I want more dig into this.can anyone help me.

is there any way to discard this logs.

Note : I have already enable IP reverse path command to protect.

Please ref the logs

Deny IP Spoof from (10.111.10.1) to (10.99.100.1) on interface inside

10.111.10.1 - FW LAN face ip

10.99.100.1 - Syslog server IP

Thanks,

limat

Re: IP Spoof Attack in CISCO ASA

praprama — Wed, 08 Sep 2010 07:32:31 GMT

Hi,

Is the IP address 10.111.10.1 the IP address of the "inside" interface of the ASA? The ASA is receving a packet on the inside interface with a source IP which is it's own and the destination IP is that of the syslog server 10.99.100.1. Could you paste the output of "show route" and "show int ip brief" from the ASA?

Is the ASA sending syslogs to 10.99.100.1? If so, is it connected to the "inside" interface of the ASA? If so, it seems like the there is some kind of a routing loop in the network! The device directly connected to the ASA on the "inside" interface is sending this packet back to the ASA for some reason. Please have a look the device connected to the ASA on the inside interface.

Hope this helps!!

Thanks and Regards,

Prapanch

Re: IP Spoof Attack in CISCO ASA

Diego Armando Cambronero Arias — Wed, 08 Sep 2010 20:58:05 GMT

Which is the log numbeer. Did you upgrade to version 8.3 ?

Re: IP Spoof Attack in CISCO ASA

tamilvanan.saravanan — Thu, 09 Sep 2010 09:34:48 GMT

Hi Prapanch,

Thanks for you reply,

Yes u correct, The IP Address : 10.111.10.1 is my ASA inside interface.

but the syslogs is not directly connected in my ASA.. It's located in Mumbai.

All my devices are synd with syslog server.

Pls advice..

Thanks,

limat

Re: IP Spoof Attack in CISCO ASA

tamilvanan.saravanan — Thu, 09 Sep 2010 09:40:59 GMT

Hi,

Iam getting the message id : 106016.

Currently I have the below verions

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Please advice..

Re: IP Spoof Attack in CISCO ASA

praprama — Thu, 09 Sep 2010 13:56:03 GMT

Hey,

Well as i said previously my guess is that The device directly connected to the ASA on the "inside" interface is sending this packet back to the ASA for some reason. Please apply captures on the ASA from the ASA to the syslogs server and vice versa on the inside interface as i had said.

https://supportforums.cisco.com/docs/DOC-1222

What is the device that is directly connected to the ASA on the inside interface, that is, in between the ASA and the syslog server. Can you get the routing table of that device and paste it here?

Regards,

Prapanch

Re: IP Spoof Attack in CISCO ASA

Nagaraja Thanthry — Thu, 09 Sep 2010 14:06:42 GMT

Hello,

Is the syslog server connected through a VPN tunnel? If it is, most likely

the next hop device is sending the packets back at the firewall (default

gateway points to firewall) without encrypting the data. Common reasons

would be a break in the tunnel or other routing issues. Please check to see

if the VPN tunnel/Routing is working as expected when you see these

messages.

Hope this helps.

Regards,