08-29-2013 07:34 AM - edited 03-11-2019 07:32 PM
I got the following,
Deny IP spoof from (0.1.0.4) to 10.1.1.101 on interface intranet
Traffic has correctly been denied but ip verify reverse-path is not configured on intranet interface to prevent ip spoofing. So, how did the ASA denied ip spoofing ? does it means unicast RPF is not necessary ?
Thank you
Solved! Go to Solution.
09-01-2013 12:41 AM
Hello,
1) That means that you can configure the ASA to deny ICMP packets (using the ICMP syntax) comming on the outside interface from source IP addresses from the internal side (as this is certanly never expected).
2)Exactly,
Hey my man! Remember to rate all of my answers. We are helping for free and some kudos are really appreciated
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
08-29-2013 03:40 PM
Hello,
This is not related to the RPF Check per se;
%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segur
08-30-2013 12:07 AM
Correctly I would have had a different message for ip spoofing with RPF. Is RPF still adviced to be configured ?
09-01-2013 12:38 AM
You got it .
It's always good to add more security to your Firewalls so RPF is a good deal.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
08-30-2013 12:18 AM
Let me add..
1. couldn't find explenation for,
In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.
2. 106016 log message is related to a check which is not configurable right ?
Thank you
09-01-2013 12:41 AM
Hello,
1) That means that you can configure the ASA to deny ICMP packets (using the ICMP syntax) comming on the outside interface from source IP addresses from the internal side (as this is certanly never expected).
2)Exactly,
Hey my man! Remember to rate all of my answers. We are helping for free and some kudos are really appreciated
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-02-2013 08:03 AM
Thanks a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide