Deny IP spoof from (global) to (Static NAT) on outside interface help!

jtadamofod81 · ‎06-03-2013

Hello World,

I'm receiving an error when trying to access a web server behind from one subinterface to another subinterface on an ASA access the public IP. I'm getting the following:

Global Static NAT

Deny IP spoof from (61.X.X.X) to 201.X.X.X on interface Outside

Traffic dies at the firewall stating that the traffic is spoofed from the Global address (61.) to the static (201.) address. Both bound to the outside interface.

When I create a static NAT on the firewall there is no problem; however when I'm patting against the firewall to the public IP I get the denies.

Can anyone offer any insight?

Jouni Forss · ‎06-03-2013

Hi,

Could you elaborate a bit on what the actual setup on the firewall is and perhaps provide the NAT configurations?

- Jouni

Christopher Bell · ‎06-03-2013

Have you enabled traffic for two or more hosts on the same interface? Since you are using one physical interface I think this needs to be enabled.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

jtadamofod81 · ‎06-04-2013

Journi,

No real elegant NAT configuration on the firewall. Just a dynamic NAT on the subinterfaces. Version 8.2.5. The subinterface has the following NAT config:

nat (Customer11) 1 0.0.0.0 0.0.0.0

nat-control
global (Outside) 1 interface