Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
0
Helpful
1
Replies

Question on IP spoof

pokwan
Level 1
Level 1

‎09-14-2003 05:01 PM - edited ‎03-09-2019 04:47 AM

Hi,

Sometimes I get these messages in the log of our PIX525.

106016: Deny IP spoof from (127.0.0.100) to 10.10.19.90 on interface outside

106016: Deny IP spoof from (127.0.0.100) to 10.10.17.184 on interface outside

106016: Deny IP spoof from (127.0.0.100) to 10.10.17.184 on interface outside

These IP addresses are on the inside interface of the firewall. What exactly are the messages conveying?

Thanks.

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎09-14-2003 06:23 PM

Message details are here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#1022675

Basically the PIX will automatically deny packets from invalid source addresses, of which 127.0.0.100 is certainly one. The PIX is doing it's job and protecting your internal hosts.

If you really want to see what these packets are then you'd have to put a Sniffer on the outside segment and capture them. It may be legitimate traffic from an outside mis-configured host, but most likely it's something bogus. It's probably coming from something directly connected on the outside interface though, cause the 10.x.x.x addresses wouldn't be routed from your ISP to you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents