03-27-2018 11:23 AM - edited 02-21-2020 07:34 AM
Hey, I have a weird issue going on. My ASA has a class c network configured (10.105.29.0/24). The interface IP is .254.
I started to get deny spoof messages when our IT security started to scan our subnets, see below.
<186>Mar 27 2018 09:00:14: %ASA-2-106016: Deny IP spoof from (10.105.29.0) to 10.6.111.25 on interface sp-ngs-ilo
I can actually browse to the .0 (network IP) address and log into the system. The system does not have .0 configured for the IP address, it probably would allow it. As you see below, I've connected to the .0 IP from my browser. (keep reading below)
I also get the messages when I try to connect to the broadcast IP, 255. We have other class c networks but none act this same way.
We have 2 Production environments, and a test environment, ALL 3 do this. When I'm on the local subnet and try to browse to .0 it cannot connect, it's just going direct obviously and nothing responds.
At first I figured something was configured wrong on a system but it seems that when I hit the network IP, the ASA allows it, logs the deny message and somehow the tape library (.66) responds. Again it doesn't do this locally on it's own vlan. Why would it allow the connection to the network IP? Odd that all 3 environments are the same, the tape library responds in each.
Can anyone explain this?
03-27-2018 05:45 PM
Hi,
Does that device responds only to the .0 and .255 addresses or does it also respond to any ip that is not active on the network? Could be that the tape library is doing running proxy-arp. Have you checked the ip configuration of the tape library?
Thanks
John
03-28-2018 04:54 AM
I believe the network config of the tape was in the screenshot above, I didn't see anything anywhere about a proxy arp, tho they are enabled on the firewall.
The device IP is .66, when I access .0 from outside of it's own vlan it will bring me to the admin page of the tape library which is odd. When I access 255 I get connection refused but I get the same spoof messages on the firewall.
When I access other IPs that aren't used things just time out so it seems only do be an issue with .0 when accessing from outside of the local network.
03-29-2018 05:03 AM
TCP outside-routed 10.51.250.1:57734 sp-ngs-ilo 10.105.29.0:80, idle 0:00:08, bytes 4507, flags UIOXB
TCP outside-routed 10.51.250.1:57733 sp-ngs-ilo 10.105.29.0:80, idle 0:00:07, bytes 81029, flags UIOXB
TCP outside-routed 10.51.250.1:57731 sp-ngs-ilo 10.105.29.0:80, idle 0:00:08, bytes 16358, flags UIOXB
TCP outside-routed 10.51.250.1:57730 sp-ngs-ilo 10.105.29.0:80, idle 0:00:08, bytes 13278, flags UIOXB
03-29-2018 05:25 AM
03-29-2018 06:26 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide