12-10-2014 09:20 AM - edited 03-11-2019 10:12 PM
I have a strange issue that I cannot seem to figure out. We have a customer that has 2 different ASA's for 2 different environments. We have a vpn tunnel set up so that when they connect to the anyconnect client via Firewall-A, the traffic can hairpin over the tunnel and access the servers behind firewall-B. That is working fine, but the problem is when we try to access the ASDM via the inside ip address over the ssl vpn on Firewall-A we get this message:
Deny IP spoof from (10.200.0.6) to 10.0.193.1 on interface outside
We can access the ASDM on Firewall-B, but not on Firewall-A. I do not know why the ASA thinks this is a spoofing attack. Can someone shed some light on this for me? Thanks in advanced!
12-10-2014 04:25 PM
I'm not quite envisioning the setup. Can you give us a simple diagram?
12-11-2014 07:51 AM
I attached a simple diagram hopefully explaining it a little better. While connected to the ssl vpn on Firewall A, they are able to access all the servers behind Firewall A and Firewall B, can access the asdm on Firewall B, but cannot access the ASDM on Firewall A, that's when I see the spoofing messages in the logs. Let me know if this makes sense now. Thanks!
12-11-2014 09:07 AM
From Cisco documentation:
If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the ASA drops the packet because the matching route (the default route) indicates the outside interface.
I'm not sure how you could prevent the ASA from having this error short of disabling Anti-Spoofing on the outside interface.
12-11-2014 09:18 AM
Hi Ryan,
Thanks for the comment. We are not able to pull up the asdm (which is access by using the inisde interface's ip address), but we can still access servers that are on the same network. For example, we can ping x.x.x.2 and x.x.x.3, but cannot access the asdm on https://x.x.x.1/admin and cannot ping it either. If what you said was true, wouldn't all traffic going to the inside interface be dropped? Sorry if I misunderstood your explanation.
12-11-2014 10:29 AM
Have you allowed the VPN pool in the http commands that permit ASDM management?
e.g.:
http <pool subnet and mask> inside
...on firewall A.
12-11-2014 12:15 PM
Yes, that has been configured.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: