https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088783#M893476 <HTML><HEAD></HEAD><BODY><P>I would run a whois on those external IPs to see what they are really, this might give you an idea about the traffic. What is the destination port? (If its TCP/UDP) traffic?</P><P></P><P>Download process explorer and run it on your ISA server (no need to install it,its standalone).</P><P></P><P><A class="jive-link-custom" href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" target="_blank">http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx</A></P><P></P><P>Check which 'service' or application is opening these connections from the ISA server. Perhaps a trojan/worm...</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 21 Nov 2008 11:43:04 GMT Farrukh Haroon 2008-11-21T11:43:04Z https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088778#M893471 <P>Hi All,</P><P></P><P>I am receiving a number of errors on my Cisco ASA 5510 device that reads: </P><P></P><P>106016: Deny IP spoof from (127.0.0.1) to x.x.x.x on Interface Inside</P><P></P><P>x.x.x.x is some random IP Address. There are a number of IP Addresses that are reported. </P><P></P><P>Any ideas?</P> Mon, 11 Mar 2019 14:14:14 GMT https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088778#M893471 pjscott13 2019-03-11T14:14:14Z https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088779#M893472 <HTML><HEAD></HEAD><BODY><P>Since that is a loopback IP, it could be any host. Probably one with vmware etc. Do a packet capture for that IP and get the mac-address. Then trace it on your network</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 18 Nov 2008 08:06:11 GMT https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088779#M893472 Farrukh Haroon 2008-11-18T08:06:11Z https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088780#M893473 <HTML><HEAD></HEAD><BODY><P>I have to admit that the x.x.x.x ip addresses that appear are external public IP addresses that I have no idea what they are. </P><P></P><P>Also on the Internal Interface of the ASA there is an ISA Server... there is nothing between the ASA and ISA server. Is there another way of getting a packet capture without installing a hub between the ASA and the ISA... as obviously this means there will be an outage while I install the hub? </P></BODY></HTML> Wed, 19 Nov 2008 02:36:41 GMT https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088780#M893473 pjscott13 2008-11-19T02:36:41Z https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088781#M893474 <HTML><HEAD></HEAD><BODY><P>Well there is a capture command built-in the ASA:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s3" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s3</A></P><P></P><P>Once you get the mac-address, wireshark will show you the vendor name as derived from the MAC Address OID field (or you can google it up pretty quick).</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Wed, 19 Nov 2008 03:13:37 GMT https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088781#M893474 Farrukh Haroon 2008-11-19T03:13:37Z https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088782#M893475 <HTML><HEAD></HEAD><BODY><P>Thanks! This is somewhat helpful. From what I have found the MAC address is of the ISA server (which is the only thing that connects to the Inside interface of the ASA... no surprise really) but why?</P><P></P><P>The packet capture shows that the source IP Address is 127.0.0.1 with the MAC of the ISA server and the Destination is of various external IP Addresses with the destination MAC address of the ASA. </P><P></P><P>What can I check now? </P></BODY></HTML> Fri, 21 Nov 2008 04:26:29 GMT https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088782#M893475 pjscott13 2008-11-21T04:26:29Z https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088783#M893476 <HTML><HEAD></HEAD><BODY><P>I would run a whois on those external IPs to see what they are really, this might give you an idea about the traffic. What is the destination port? (If its TCP/UDP) traffic?</P><P></P><P>Download process explorer and run it on your ISA server (no need to install it,its standalone).</P><P></P><P><A class="jive-link-custom" href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" target="_blank">http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx</A></P><P></P><P>Check which 'service' or application is opening these connections from the ISA server. Perhaps a trojan/worm...</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 21 Nov 2008 11:43:04 GMT https://community.cisco.com/t5/network-security/106016-deny-ip-spoof-error-on-asa-5510/m-p/1088783#M893476 Farrukh Haroon 2008-11-21T11:43:04Z