cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
0
Helpful
5
Replies

ASA deny spoof, webpage responds to network IP and Broadcast?

cshannahan
Level 1
Level 1

Hey, I have a weird issue going on.  My ASA has a class c network configured (10.105.29.0/24). The interface IP is .254.

 

I started to get deny spoof messages when our IT security started to scan our subnets, see below.

 

<186>Mar 27 2018 09:00:14: %ASA-2-106016: Deny IP spoof from (10.105.29.0) to 10.6.111.25 on interface sp-ngs-ilo

 

I can actually browse to the .0 (network IP) address and log into the system.  The system does not have .0 configured for the IP address, it probably would allow it.  As you see below, I've connected to the .0 IP from my browser. (keep reading below)image.png

I also get the messages when I try to connect to the broadcast IP, 255.  We have other class c networks but none act this same way.

 

We have 2 Production environments, and a test environment, ALL 3 do this.  When I'm on the local subnet and try to browse to .0 it cannot connect, it's just going direct obviously and nothing responds.  

 

At first I figured something was configured wrong on a system but it seems that when I hit the network IP, the ASA allows it, logs the deny message and somehow the tape library (.66) responds.  Again it doesn't do this locally on it's own vlan.  Why would it allow the connection to the network IP?  Odd that all 3 environments are the same, the tape library responds in each.

 

Can anyone explain this?

5 Replies 5

johnd2310
Level 8
Level 8

Hi,

 

Does that device responds only to the .0 and .255 addresses or does it also respond to any ip that is not active on the network? Could be that the tape library is doing running proxy-arp. Have you checked the ip configuration of the tape library?

 

Thanks

John

**Please rate posts you find helpful**

I believe the network config of the tape was in the screenshot above, I didn't see anything anywhere about a proxy arp, tho they are enabled on the firewall.

 

The device IP is .66, when I access .0 from outside of it's own vlan it will bring me to the admin page of the tape library which is odd.  When I access 255 I get connection refused but I get the same spoof messages on the firewall.

 

When I access other IPs that aren't used things just time out so it seems only do be an issue with .0 when accessing from outside of the local network.

TCP outside-routed 10.51.250.1:57734 sp-ngs-ilo 10.105.29.0:80, idle 0:00:08, bytes 4507, flags UIOXB
TCP outside-routed 10.51.250.1:57733 sp-ngs-ilo 10.105.29.0:80, idle 0:00:07, bytes 81029, flags UIOXB
TCP outside-routed 10.51.250.1:57731 sp-ngs-ilo 10.105.29.0:80, idle 0:00:08, bytes 16358, flags UIOXB
TCP outside-routed 10.51.250.1:57730 sp-ngs-ilo 10.105.29.0:80, idle 0:00:08, bytes 13278, flags UIOXB

image.png

I believe it might have something to do with directed broadcast or something along those lines, I don't see those commands on the asa though.
Review Cisco Networking for a $25 gift card