Our company has three branch offices. All these offices have an ASA5510 firewall installed. The three ASA's are sending syslog messages to a syslog server. All three devices are spamming the same "Deny IP spoof" message.
Our provider has assigned us an outside interface IP address per ASA device. Let's take one ASA as an example. Let's say the assigned outside IP address for one of the ASAs is 18.104.22.168. We are using 22.214.171.124 as default gateway (next-hop router of our provider). Our provider has also assigned us an extra external IP block to NAT our internal servers. Let's say this is 126.96.36.199 til 188.8.131.52. Now, if I look at the syslog messages of one of our ASAs, it is for 99% the following messages that keeps spamming our log server:
%ASA-2-106016: Deny IP spoof from (184.108.40.206) to 220.127.116.11 on interface outside
%ASA-2-106016: Deny IP spoof from (18.104.22.168) to 22.214.171.124 on interface outside
%ASA-2-106016: Deny IP spoof from (126.96.36.199) to 188.8.131.52 on interface outside
%ASA-2-106016: Deny IP spoof from (184.108.40.206) to 220.127.116.11 on interface outside
%ASA-2-106016: Deny IP spoof from (18.104.22.168) to 22.214.171.124 on interface outside
As you can see, 126.96.36.199 is the cofigured outside IP address on the outside interface. The IP addresses in the 2.2.2.x subnet is the extra external IP block assigned by our provider. The external IP addresses have not yet been assigned (NATed) to one of our hosts, so they are currently not yet in use. However, they are routed to our ASA by our provider.
How can I solve this issue so that the ASA's stop logging this spoof message? And what causes it anyway? To me it seems that our own firewall is trying to reach one of the IP addresses in the alternate IP block, but for what reason?
Thanks in advance for the help.
If you disable URPF on the outside interface, then these messages shouldn't be logged any more. One reason for this message could be that a client/server behind the ASA is accessing this IP. The ASA routes it through the default-route to the ISP which directly sends it back to the ASA.
I disabled it using the following command:
ASA(config)# no ip verify reverse-path interface outside
However the messages are still logged every few seconds.
Is there anything else I can do to solve this?
I've waited for the weekend to pass but unfortunately it is still logging this message every few seconds. Also, according to the Cisco website, URPF should be disabled by default. I have never enabled this feature in the past on any of our 3 ASAs. But the command "no ip verify reverse-path interface outside" didn't solve it.
The 3 ASAs are all setup the same way. All have a static outside interface IP address and an extra IP block for NATting purposes.
URPF is disabled by default and yes, it's a best practice to enable it if possible.
I would capture the traffic on the ASA to see what kind of traffic causes these logs and which device originates them.