10-06-2009 08:15 PM - edited 03-11-2019 09:23 AM
Hi all,
Currently i am running a Cisco ASA v8.0 IOS w/ UR license.
I have a web server running behind the ASA (In the DMZ network) and an inside network (with access to the internet).
I do run a host -monitoring software which polls the corporate website on my company.
However recently, i noticed that the PCs within the inside network are not able to access the corporate website.
Upon checking up the logs, this is what i get :
Deny IP spoof from (203.X.X.X) to 58.X.X.X on interface outside
The 203.X.X.X is my legitimate WAN address for those in the inside network where as 58.X.X.X would refer to the WAN IP for the corp web.
This is affecting me from monitoring the status of my corp web.
Other users with other IPs are able to view my website with no issues. Is there any way i can stop the ASA from denying the legitimate IP?
It worked fine previously but it started having problems ever since i tried to implement a web application firewall.
I have since removed the web app firewall and rolled - backed to the previous network configuration, but starting having this problem ever since then.
Your help is very much appreciated!
Thanks!
10-07-2009 12:12 AM
It seems the packets from the subnet 203.X.X.X are not coming to the correct interface on the ASA.
The route for the subnet 203.X.X.X on the ASA is on some other interface.
10-07-2009 03:26 AM
use this command in your configuration...
" ip verify reverse-path interface outside "
This command help to prevent ip spoofing attacks arising from the outside interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide