08-14-2012 06:28 PM - edited 03-11-2019 04:42 PM
Hello, all!
Hey, I'm working on a problem where all necessary communication *seems* to be happening, but we're seeing regular errors logged that look like this (Public IP addresses have been changed from the real ones):
Aug 13 2012 14:43:08: %ASA-2-106016: Deny IP spoof from (1.1.1.198) to 2.2.2.109 on interface outside
It's an ASA5520 failover pair, running 8.2(1).
Outside Int: 1.1.1.1 /30
DMZ Int: 10.11.11.1 /24
Inside Int: 192.168.168.1 /22
On the outside are two VPN subnets (VPNs are terminating on the ASA), 10.14.14.0 /24 and 10.15.15.0 /24.
================================
Below is the current NAT config. What I'd noticed was missing initially were the nat (dmz) 0 and nat (outside) 0 parts of the config. Those have been added. (And yes, I know there are some un-needed config commands---I'm not able to remove things right now unless it's absolutely necessary---cleanup has to wait.)
nat-control
nat (outside) 0 access-list nonat-acl-outside
nat (outside) 1 10.14.14.0 255.255.255.0
nat (outside) 1 10.15.15.0 255.255.255.0
nat (dmz) 0 access-list nonat-acl-dmz
nat (dmz) 1 10.11.11.0 255.255.255.0
nat (inside) 0 access-list nonat-acl-inside
nat (inside) 1 192.168.168.0 255.255.252.0
nat (inside-vlan3) 0 access-list nonat-acl-inside-vlan3
global (outside) 1 interface
global (dmz) 1 interface
access-list nonat-acl-dmz extended permit ip 10.11.11.0 255.255.255.0 10.14.14.0 255.255.255.0
access-list nonat-acl-dmz extended permit ip 10.11.11.0 255.255.255.0 192.168.168.0 255.255.252.0
access-list nonat-acl-dmz extended permit ip 10.11.11.0 255.255.255.0 10.15.15.0 255.255.255.0
access-list nonat-acl-outside extended permit ip 10.14.14.0 255.255.255.0 10.11.11.0 255.255.255.0
access-list nonat-acl-outside extended permit ip 10.15.15.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat-acl-outside extended permit ip 10.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0
access-list nonat-acl-outside extended permit ip 10.14.14.0 255.255.255.0 192.168.168.0 255.255.252.0
access-list nonat-acl-inside extended permit ip 192.168.168.0 255.255.252.0 10.14.14.0 255.255.255.0
access-list nonat-acl-inside extended permit ip 10.11.11.0 255.255.255.0 10.14.14.0 255.255.255.0
access-list nonat-acl-inside extended permit ip 192.168.168.0 255.255.252.0 10.11.11.0 255.255.255.0
access-list nonat-acl-inside extended permit ip 192.168.168.0 255.255.252.0 10.15.15.0 255.255.255.0
access-list nonat-acl-inside-vlan3 extended permit ip 192.168.5.0 255.255.255.0 10.15.15.0 255.255.255.0
static (dmz,outside) 2.2.2.100 10.11.11.5 netmask 255.255.255.255
static (dmz,outside) 2.2.2.108 10.11.11.11 netmask 255.255.255.255
static (dmz,outside) 2.2.2.104 10.11.11.18 netmask 255.255.255.255
static (dmz,outside) 2.2.2.112 10.11.11.15 netmask 255.255.255.255
static (dmz,outside) 2.2.2.111 10.11.11.14 netmask 255.255.255.255
static (dmz,outside) 2.2.2.110 10.11.11.13 netmask 255.255.255.255
static (dmz,outside) 2.2.2.109 10.11.11.12 netmask 255.255.255.255
static (dmz,outside) 2.2.2.107 10.11.11.10 netmask 255.255.255.255
static (dmz,outside) 2.2.2.106 10.11.11.29 netmask 255.255.255.255
static (dmz,outside) 2.2.2.105 10.11.11.28 netmask 255.255.255.255
static (dmz,outside) 2.2.2.103 10.11.11.17 netmask 255.255.255.255
static (inside,dmz) 192.168.168.70 192.168.168.70 netmask 255.255.255.255
static (inside,dmz) 192.168.168.71 192.168.168.71 netmask 255.255.255.255
============================
Logging is turned on at the debugging level, but I don't see any more detailed helpful errors.
Any suggestions on what might be wrong, or how to proceed to troubleshoot deeper, would be appreciated!
Many thanks,
Deb
08-15-2012 09:20 AM
Hi Deborah,
Please find the below explaination and workaround for tht log code.
%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
Explanation
This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:
Loopback network (127.0.0.0)
Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
The destination host (land.c)
In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.
Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: