cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

Deny IP Spoof messages in ASA syslog

Martijn de Loos
Level 1
Level 1

Hi all,

Our company has three branch offices. All these offices have an ASA5510 firewall installed. The three ASA's are sending syslog messages to a syslog server. All three devices are spamming the same "Deny IP spoof" message.

Our provider has assigned us an outside interface IP address per ASA device. Let's take one ASA as an example. Let's say the assigned outside IP address for one of the ASAs is 1.1.1.1. We are using 1.1.1.2 as default gateway (next-hop router of our provider). Our provider has also assigned us an extra external IP block to NAT our internal servers. Let's say this is 2.2.2.1 til 2.2.2.5. Now, if I look at the syslog messages of one of our ASAs, it is for 99% the following messages that keeps spamming our log server:


%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.1 on interface outside

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.2 on interface outside

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.3 on interface outside

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.4 on interface outside

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.5 on interface outside

As you can see, 1.1.1.1 is the cofigured outside IP address on the outside interface. The IP addresses in the 2.2.2.x subnet is the extra external IP block assigned by our provider. The external IP addresses have not yet been assigned (NATed) to one of our hosts, so they are currently not yet in use. However, they are routed to our ASA by our provider.

How can I solve this issue so that the ASA's stop logging this spoof message? And what causes it anyway? To me it seems that our own firewall is trying to reach one of the IP addresses in the alternate IP block, but for what reason?

Thanks in advance for the help.

Who Me Too'd this topic