Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
0
Helpful
1
Replies

Deny TCP reverse path check from 121.241.249.101 to 28.29.30.31 on interface inside

Go to solution
shivaram840
Level 1
Level 1

‎03-12-2015 04:18 AM - edited ‎03-11-2019 10:37 PM

Hi all,

 we are facing the Ip spoofing issue and at time i was unable login to the firewall when spoofing was happend adn 121.241.249.101 and 28.29.30.31 are not my ips and anti spoofing has been enable in my firewall both inside and outside but we faced this problem,please help me out regarding this and please find the screenshot for better understanding 

 

 

With regards,

Shiv

Labels:
Preview file
175 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Divya Subramanian
Cisco Employee
Cisco Employee

‎03-12-2015 05:23 AM

Hi Shiv,

"Ip verify reverse path" checks two things:

1. is a route present for that specific source?

2. is the packet  comming on the right interface?

I would suggest to check the routing to exclude possible assymetic routing issues. If everything looks alright then it might be a real spoofing attack.

You can probably collect a capture on the inside interface to track the mac address of the spoofed ip from where the attacks are bring generated.

you have uRPF enabled on the firewall which is preventing against the spoofing attack. 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Divya Subramanian
Cisco Employee
Cisco Employee

‎03-12-2015 05:23 AM

Hi Shiv,

"Ip verify reverse path" checks two things:

1. is a route present for that specific source?

2. is the packet  comming on the right interface?

I would suggest to check the routing to exclude possible assymetic routing issues. If everything looks alright then it might be a real spoofing attack.

You can probably collect a capture on the inside interface to track the mac address of the spoofed ip from where the attacks are bring generated.

you have uRPF enabled on the firewall which is preventing against the spoofing attack. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card