Solved: FPR-1010 - IPspoof

Jon Are Endrerud · ‎03-05-2020

Im in the process of replacing 5505 and 5506 with FPR-1010. (code: 6.5.0.4).

When running IPsec between two subnets for example:

FPR-2130 subnet 10.0.0.0/23 <-------> 10.199.24.0/24 (FPR-1010 has IP .1 (BV1) and .2 (MNGT).

I cannot access the unit itself (.1.2), all other IPs in the subnet is reachable. The error is:

Deny IP spoof from (10.0.0.x) to 10.199.24.1 on the interface outside

Can anyone help me get around this ?

Please rate as helpful, if that would be the case. Thanx

Jon Are Endrerud · ‎03-10-2020

Used the MNGT gateway with defined gateway unique gw instead of data interface gateway. This gives access to SSH and HTTPS.

Please rate as helpful, if that would be the case. Thanx

View solution in original post

Marvin Rhoads · ‎03-05-2020

Is the 1010 in transparent mode?

Jon Are Endrerud · ‎03-06-2020

No routed mode.

Please rate as helpful, if that would be the case. Thanx

Marvin Rhoads · ‎03-07-2020

Ah - so you are trying to reach the Firepower inside and management addresses from the remote end of the site-site VPN? That's generally not possible since the traffic needs to come from one of the inside networks. Otherwise the Firepower would be sending it's own replies through itself - which is roughly what the log message is telling you.

Jon Are Endrerud · ‎03-10-2020

Used the MNGT gateway with defined gateway unique gw instead of data interface gateway. This gives access to SSH and HTTPS.

Please rate as helpful, if that would be the case. Thanx