topic spoof log in Network Security

spoof log

ohassairi — Mon, 11 Mar 2019 17:47:46 GMT

hello

i am getting this log message from ASA5520 :

Deny IP spoof from (Cicso_Works) to 10.162.50.70 on interface inside

Notes:

-cisco_works is in inside interface

-10.162.50.70 is the IP of one interface (one DMZ) in ASA

i can't understand why am i getting this message!

Re: spoof log

Jennifer Halim — Wed, 19 May 2010 08:40:55 GMT

Since 10.162.50.70 is supposed to be connected to DMZ interface as advised, and you are actually getting the traffic on inside interface of the ASA, that is why you are getting the spoof error message. Traffic sourced from 10.162.50.70 should only go inbound towards the ASA DMZ interface, not any other interfaces.

Hope that answers your question.

Re: spoof log

ohassairi — Thu, 20 May 2010 04:31:12 GMT

you said:

1-Since 10.162.50.70 is supposed to be connected to DMZ interface

->actually this IP is the IP of the DMZ interface itself and not of one PC connected to DMZ

2-Traffic sourced from 10.162.50.70 should only go inbound towards the ASA DMZ interface,

-> according to the syslog msg, the traffic is sourced from cisco_works and not 10.162.50.70!

i can't understand your explanaition 😞

Re: spoof log

Jennifer Halim — Thu, 20 May 2010 07:51:57 GMT

It seems that there might be some routing loop that is causing packet that is sourced from the ASA DMZ interface to arrive on the inside interface instead.

Most times it is caused by routing loop in your network.