cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1077
Views
0
Helpful
11
Replies

IP spoof

john-kelsey
Level 1
Level 1

Hi,

I get the critical alert.

Deny IP spoof from (192.168.97.16) to virtual_plc on interface outside

Which I understand because both addresses are on the same subnet, yet on different interfaces.

However I would like them to communicate, how do I do that please?

I have attached a drawing of the network.

We VPN into our customer's site, where the VPN server gives us the 192.168.97.x address.

The customer's network is 151.133.100.x where our router is at 151.133.100.80.

We static NAT 151.133.100.81 and 151.133.100.81 thru to 192.168.100.180 and 192.168.100.184 respectively.

Our router is an ASA5505

Thanks in advance.

John

1 Accepted Solution

Accepted Solutions

Ah ha, you have no default route defined.

route outside 0.0.0.0 0.0.0.0 x.x.x.x

x.x.x.x = inside ip of the other ASA that you are vpn'ing into.

View solution in original post

11 Replies 11

acomiskey
Level 10
Level 10

Which firewall in the diagram are you vpn'ing to?

The first one - NOT the ASA5505 on the slicer

What is the subnet mask of the slicer inside network? You could try to disable it with

no ip verify reverse-path interface outside

The Inside subnet mask is 255.255.255.0

I will try this when I get to work tomorrow.

Thanks

I added the - no ip verify reverse-path interface outside

Now though, I get the error

Failed to locate egress interface for TCP from outside:192.168.97.x

How do I get back from the slicer network to the VPN's?

Could you post the config from your ASA?

Here is the conf file

Ah ha, you have no default route defined.

route outside 0.0.0.0 0.0.0.0 x.x.x.x

x.x.x.x = inside ip of the other ASA that you are vpn'ing into.

Thank you for your help, I am now back at home - I shall try that first thing in the morning.

John.

Thank you acomiskey.

Adding route outside 0.0.0.0 0.0.0.0 x.x.x.x resolved the issue.

However, supposedly it brought down the customers network, does this sound possible?

John.

could it be multicast-routing, it was not enabled yesterday?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: