NAT and ASA IP Spoofing error

desmith · ‎08-14-2012

Hello, all!

Hey, I'm working on a problem where all necessary communication *seems* to be happening, but we're seeing regular errors logged that look like this (Public IP addresses have been changed from the real ones):

Aug 13 2012 14:43:08: %ASA-2-106016: Deny IP spoof from (1.1.1.198) to 2.2.2.109 on interface outside

It's an ASA5520 failover pair, running 8.2(1).

Outside Int: 1.1.1.1 /30

DMZ Int: 10.11.11.1 /24

Inside Int: 192.168.168.1 /22

On the outside are two VPN subnets (VPNs are terminating on the ASA), 10.14.14.0 /24 and 10.15.15.0 /24.

================================

Below is the current NAT config. What I'd noticed was missing initially were the nat (dmz) 0 and nat (outside) 0 parts of the config. Those have been added. (And yes, I know there are some un-needed config commands---I'm not able to remove things right now unless it's absolutely necessary---cleanup has to wait.)

nat-control

nat (outside) 0 access-list nonat-acl-outside

nat (outside) 1 10.14.14.0 255.255.255.0

nat (outside) 1 10.15.15.0 255.255.255.0

nat (dmz) 0 access-list nonat-acl-dmz

nat (dmz) 1 10.11.11.0 255.255.255.0

nat (inside) 0 access-list nonat-acl-inside

nat (inside) 1 192.168.168.0 255.255.252.0

nat (inside-vlan3) 0 access-list nonat-acl-inside-vlan3

global (outside) 1 interface

global (dmz) 1 interface

access-list nonat-acl-dmz extended permit ip 10.11.11.0 255.255.255.0 10.14.14.0 255.255.255.0

access-list nonat-acl-dmz extended permit ip 10.11.11.0 255.255.255.0 192.168.168.0 255.255.252.0

access-list nonat-acl-dmz extended permit ip 10.11.11.0 255.255.255.0 10.15.15.0 255.255.255.0

access-list nonat-acl-outside extended permit ip 10.14.14.0 255.255.255.0 10.11.11.0 255.255.255.0

access-list nonat-acl-outside extended permit ip 10.15.15.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat-acl-outside extended permit ip 10.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0

access-list nonat-acl-outside extended permit ip 10.14.14.0 255.255.255.0 192.168.168.0 255.255.252.0

access-list nonat-acl-inside extended permit ip 192.168.168.0 255.255.252.0 10.14.14.0 255.255.255.0

access-list nonat-acl-inside extended permit ip 10.11.11.0 255.255.255.0 10.14.14.0 255.255.255.0

access-list nonat-acl-inside extended permit ip 192.168.168.0 255.255.252.0 10.11.11.0 255.255.255.0

access-list nonat-acl-inside extended permit ip 192.168.168.0 255.255.252.0 10.15.15.0 255.255.255.0

access-list nonat-acl-inside-vlan3 extended permit ip 192.168.5.0 255.255.255.0 10.15.15.0 255.255.255.0

static (dmz,outside) 2.2.2.100 10.11.11.5 netmask 255.255.255.255

static (dmz,outside) 2.2.2.108 10.11.11.11 netmask 255.255.255.255

static (dmz,outside) 2.2.2.104 10.11.11.18 netmask 255.255.255.255

static (dmz,outside) 2.2.2.112 10.11.11.15 netmask 255.255.255.255

static (dmz,outside) 2.2.2.111 10.11.11.14 netmask 255.255.255.255

static (dmz,outside) 2.2.2.110 10.11.11.13 netmask 255.255.255.255

static (dmz,outside) 2.2.2.109 10.11.11.12 netmask 255.255.255.255

static (dmz,outside) 2.2.2.107 10.11.11.10 netmask 255.255.255.255

static (dmz,outside) 2.2.2.106 10.11.11.29 netmask 255.255.255.255

static (dmz,outside) 2.2.2.105 10.11.11.28 netmask 255.255.255.255

static (dmz,outside) 2.2.2.103 10.11.11.17 netmask 255.255.255.255

static (inside,dmz) 192.168.168.70 192.168.168.70 netmask 255.255.255.255

static (inside,dmz) 192.168.168.71 192.168.168.71 netmask 255.255.255.255

============================

Logging is turned on at the debugging level, but I don't see any more detailed helpful errors.

Any suggestions on what might be wrong, or how to proceed to troubleshoot deeper, would be appreciated!

Many thanks,

Deb

nkarthikeyan · ‎08-15-2012

Hi Deborah,

Please find the below explaination and workaround for tht log code.

%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on 
interface interface_name.

Explanation

This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:

Loopback network (127.0.0.0)
Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
The destination host (land.c)

In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.

Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

This comes because of the spoofing packet sent to the public ip of your DMZ zone server. You have to deny the icmp packet originating from the outside network other than the trusted network. Or you could have some misconfiguration in your configuration which leads to this log. If you set a deny rule for outside interfaces ACL for icmp would solve this issue.

Please do rate if the given information helps.

By

Karthik