06-03-2010 09:25 AM - edited 03-11-2019 10:54 AM
Hello
Is there a way I can allow spoofed packets from one server to another through a PIX firewall (version 8). This is for forwarding syslog packets so the destination thinks they were send from the originating IP adrress. But I get the following message and I can't see how to permit it. No anti-spoofing or threat detection is turned on.
Deny IP spoof from (10.x.x.2) to Server-X on interface inside
06-03-2010 09:40 AM
Hi,
Do you have access to ASDM?
Can you check under Configuration, Firewall, Advanced, Anti-spoofing..
if you have it enabled for those interfaces?
Federico.
06-03-2010 09:45 AM
I'm using a PIX 515 v8.0(4)32
I don't have anti spoofing enabled, if I enable it I get Deny UDP reverse path check from 10.x.x.2 to Server-X on interface inside
06-03-2010 09:53 AM
Yes, I miss it from your original post sorry.
I'm not sure if the ASA perform anti-spoofing by default on its interfaces.
If you do enable anti-spoofing the ASA is going to verify that there's a route to the packet towards the interface in which it receive it. If there's not, it will give you that error.
Are those spoofed packets that you want to allow through the PIX exist in your network somewhere?
The ASA knows how to reach those packets throughout another interface?
Federico.
06-03-2010 09:56 AM
Yes, the spoof packets network exist and there is a route
06-03-2010 10:01 AM
I understand that purposely the range exist on another interface and you're receiving them on the inside (that's why they are spoofed packets).
However, I believe that if the PIX has a route to those packets via one interface and it receive them via another interface, the PIX will not allow those packets through (and I think there's no way to do it)... unless you don't need the route to the actual packets and put the route to the inside (but then, there are no spoofed packets anymore)
Honestly I don't see a way to allow the packets through without letting the PIX know they should come from that interface (inside in this case).
However I might be missing something...
Federico.
11-24-2010 08:36 PM
Deny IP spoof from (10.x.x.2) to Server-X on interface inside
Is the 10.x.x2 your ASA's inside interface?
Do you have a static route that direct traffic to Sever-X to your core switch? And then have a default route on the core switch to ASA?
If so, all traffic initially from ASA will go to the core switch and then be directed back to ASA with the source address as ASA's address. ASA deems this as a snooped addresss. This happens when the Server-X route isn't on the core switch. (For example, Server-X is in remote site and the remote site is down).
Do not know how to disable this warning msg. I have the same issue in my environment.
11-24-2010 09:19 PM
I turned out to configure static route on the switch for all hosts the ASA needs to talk to with a bigger admin distance.
09-17-2015 12:13 PM
I have the same issue with syslogs getting forwarded back across the same firewall they were generated from. Did you find a solution?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide