cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1644
Views
10
Helpful
4
Replies

Deny spoof IP - Site to Site Tunnel

InTheJuniverse
Level 1
Level 1

 

Site to site tunnel.png

 

 

Site2 is connected to other sites thru MPLS. SOC Log Collector and Network Management are configured to collect various logs from all the devices. They are able to collect logs from all the MPLS connected devices, no worries.

 

It is noteworthy that these machines are configured to collect data by polling the inside or the management interface of the Devices.

 

Site1 and Site2 are connected via S2S tunnel (10.230.0.0/16 on Site1, 10.0.0.0/8 on Site2), NAT Exempt is configured.

IP addresses :

 

10.230.1.130 Site1_ASA's inside Interface

10.177.172.81 is IP address of SOC Log collector.

 

Routing on Site1_ASA:

(removed route for outside, pointing to default gateway)
route inside 10.0.0.0 255.0.0.0 10.230.1.190 1
route management 10.0.0.0 255.0.0.0 10.230.2.254 10
route inside 10.230.0.0 255.255.0.0 10.230.1.190 1

 

IP Address on Site1 (Core Switch)

 

10.230.2.254 : Management

10.230.1.190 : Firewall to LAN

 

Routing on Core Switch:

 

Default route to 10.230.1.130 Firewall's inside interface.

 

I can't ping 10.230.1.130 or 10.177.172.81 from Site1_ASA (this is understood), but from Core Switch it is fine.

 

When the SOC tries to poll Site1_ASA, it does not work and I see a "106016 Deny Spoof from (10.230.1.130) to 10.177.172.81 on interface inside"  message

 

1 Accepted Solution

Accepted Solutions

InTheJuniverse
Level 1
Level 1

Once I added the route for SOC VM to point to default gateway, the issue was resolved.

 

Appreciate everyone's help, thank you.

View solution in original post

4 Replies 4

Hi,
Your SOC IP address 10.177.172.81 in Site2 falls within the Site1 network range 10.0.0.0/8. ASA1 has a route for 10.0.0.0/8 via it's internal interface, so ASA1 believes 10.177.172.81 is on the inside of ASA1. Change the routing on ASA1 to be more specific and ensure the Site2 network 10.177.172.0/16 is not routed internally on ASA1.

 

Also amend the VPN crypto ACL for the Site1 networks to be more specific aswell.

HTH

Thank you.

 

It is not possible to change encryption domain, our sites are all in 10.x network.

 

I added an explicit route on ASA for SOC towards default gateway, don't see the messages, but waiting for SOC team to confirm if they can see any data.

can you upload the configuration of the network (router/switch/ASA)

please do not forget to rate.

InTheJuniverse
Level 1
Level 1

Once I added the route for SOC VM to point to default gateway, the issue was resolved.

 

Appreciate everyone's help, thank you.

Review Cisco Networking for a $25 gift card