Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
6
Replies

anyconnect behavior

Benjamin Saito
Level 1
Level 1

‎12-10-2014 09:20 AM - edited ‎03-11-2019 10:12 PM

I have a strange issue that I cannot seem to figure out. We have a customer that has 2 different ASA's for 2 different environments. We have a vpn tunnel set up so that when they connect to the anyconnect client via Firewall-A, the traffic can hairpin over the tunnel and access the servers behind firewall-B. That is working fine, but the problem is when we try to access the ASDM via the inside ip address over the ssl vpn on Firewall-A we get this message:

Deny IP spoof from (10.200.0.6) to 10.0.193.1 on interface outside

 

We can access the ASDM on Firewall-B, but not on Firewall-A. I do not know why the ASA thinks this is a spoofing attack. Can someone shed some light on this for me? Thanks in advanced!

 

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-10-2014 04:25 PM

I'm not quite envisioning the setup. Can you give us a simple diagram?

0 Helpful

Benjamin Saito
Level 1
Level 1
In response to Marvin Rhoads

‎12-11-2014 07:51 AM

I attached a simple diagram hopefully explaining it a little better. While connected to the ssl vpn on Firewall A, they are able to access all the servers behind Firewall A and Firewall B, can access the asdm on Firewall B, but cannot access the ASDM on Firewall A, that's when I see the spoofing messages in the logs. Let me know if this makes sense now. Thanks!

Preview file
53 KB
0 Helpful

Ryan S
Level 1
Level 1
In response to Benjamin Saito

‎12-11-2014 09:07 AM

From Cisco documentation:

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the ASA drops the packet because the matching route (the default route) indicates the outside interface.

 

I'm not sure how you could prevent the ASA from having this error short of disabling Anti-Spoofing on the outside interface.

0 Helpful

Benjamin Saito
Level 1
Level 1
In response to Ryan S

‎12-11-2014 09:18 AM

Hi Ryan,

Thanks for the comment. We are not able to pull up the asdm (which is access by using the inisde interface's ip address), but we can still access servers that are on the same network. For example, we can ping x.x.x.2 and x.x.x.3, but cannot access the asdm on https://x.x.x.1/admin and cannot ping it either. If what you said was true, wouldn't all traffic going to the inside interface be dropped? Sorry if I misunderstood your explanation.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Benjamin Saito

‎12-11-2014 10:29 AM

Have you allowed the VPN pool in the http commands that permit ASDM management?

e.g.:

http <pool subnet and mask> inside

...on firewall A.

0 Helpful

Benjamin Saito
Level 1
Level 1
In response to Marvin Rhoads

‎12-11-2014 12:15 PM

Yes, that has been configured.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card