This explanation might help you let me know if you need further help:
%PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:
Loopback network (127.0.0.0)
Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
The destination host (land.c)
Furthermore, if the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.
To further enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network.
Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
Regards - Jay.
Thank you for your reply. It looks like the FW is discarding the packet because it's using 127.0.0.88 as the source IP address.
How do I know if the sysopt connection enforcesubnet command is enabled?
Also what should I look for to determine if an external user is trying to compromise the protected network?
Check your PIX config and see if you have command:
> sysopt connection enforcesubnet
If do have the above command you can disable this by issuing command no sysopt connection enforcesubnet in config mode on PIX.
For your 2nd question, see if the packet is arriving from the same source constantly and setup syslog for your PIX also, check for mis-configuration of inside clients.
Let me know how you get on.