My Network Security Journal: 2019

Saturday, December 28, 2019

Configure Static and Dynamic (PAT) on a Cisco IOS Router

Task 1: Configure Static NAT

Configure NAT outside on interface Gig1 (WAN) and NAT inside on Loopback1 (LAN).

CSRv#show ip interface brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1 192.168.1.140 YES NVRAM up up

GigabitEthernet2 unassigned YES NVRAM administratively down down

Loopback1 10.1.1.200 YES manual up up

CSRv#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

CSRv(config)#interface g1

CSRv(config-if)#ip nat ?

allow-static-host Allow static-ip clients

inside Inside interface for address translation

outside Outside interface for address translation

CSRv(config-if)#ip nat outside

CSRv(config-if)#interface loopback1

CSRv(config-if)#ip nat inside

Configure a Static NAT (one-to-one) translation for the internal host 10.1.1.200 (web server) to the mapped/translated IP address 192.168.1.200.

CSRv(config)#ip nat ?

create Create flow entries

inside Inside address translation

log NAT Logging

name Rule name

outside Outside address translation

pool Define pool of addresses

service Special translation for application using non-standard port

settings NAT general settings

switchover NAT datapath switchover

translation NAT translation entry configuration

CSRv(config)#ip nat inside ?

destination Destination address translation

source Source address translation

CSRv(config)#ip nat inside source ?

list Specify access list describing local addresses

route-map Specify route-map

static Specify static local->global mapping

CSRv(config)#ip nat inside source static ?

A.B.C.D Inside local IP address

esp IPSec-ESP (Tunnel mode) support

network Subnet translation

tcp Transmission Control Protocol

udp User Datagram Protocol

CSRv(config)#ip nat inside source static 10.1.1.200 ?

A.B.C.D Inside global IP address

interface Specify interface for global address

CSRv(config)#ip nat inside source static 10.1.1.200 192.168.1.200

Configure HTTP (web) server on the CSRv router.

CSRv(config)#ip http ?

HSTS-Header Enable HTTP secure server HSTS header

access-class Restricted http server access by access-class

active-session-modules Set up active http server session modules

auth-retry Maximum number of authentication retry attempt

authentication Set http server authentication method

banner Enable http server banner

banner-path HTML Banner Path

client Set http client parameters

digest Set http digest parameters

help-path HTML help root URL

max-connections Set maximum number of concurrent http server connections

path Set base path for HTML

port Set http server port

secure-active-session-modules Set up active http secure server session modules

secure-ciphersuite Set http secure server ciphersuite

secure-client-auth Set http secure server with client authentication

secure-port Set http secure server port number for listening

secure-server Enable HTTP secure server

secure-trustpoint Set http secure server certificate trustpoint

server Enable http server

session-idle-timeout Set http server session idle timeout

session-module-list Set up a http(s) server session module list

timeout-policy Set http server time-out policy parameters

tls-version Set TLS version for HTTP secure server

upload File upload

CSRv(config)#ip http server

Access the web server (10.1.1.200) from the management PC (192.168.1.100).

Verify active NAT translations and statistics on the using the show ip nat translations and show ip nat statistics commands.

CSRv#show ip nat ?

bpa Bulk Port Allocation information

limits Limit statistics

pool Pool and port statistics

portblock TCP/UDP port blocks allocated for NAT

statistics Translation statistics

translations Translation entries

CSRv#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 192.168.1.200 10.1.1.200 --- ---

tcp 192.168.1.200:80 10.1.1.200:80 192.168.1.100:52285 192.168.1.100:52285

Total number of translations: 2

CSRv#show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 1 extended)

Outside interfaces:

GigabitEthernet1

Inside interfaces:

Loopback1

Hits: 650 Misses: 14

Expired translations: 13

Dynamic mappings:

nat-limit statistics:

max entry: max allowed 0, used 0, missed 0

In-to-out drops: 0 Out-to-in drops: 0

Pool stats drop: 0 Mapping stats drop: 0

Port block alloc fail: 0

IP alias add fail: 0

Limit entry add fail: 0

Task 2: Configure Dynamic NAT (with PAT)

Configure a Standard Named ACL for the source/interesting traffic from the 10.1.1.0/24 LAN subnet.

CSRv(config)#ip access-list ?

extended Extended Access List

helper Access List acts on helper-address

log-update Control access list log updates

logging Control access list logging

match-local-traffic Enable ACL matching for locally generated traffic

persistent enable persistency across reload

resequence Resequence Access List

role-based Role-based Access List

standard Standard Access List

CSRv(config)#ip access-list standard ?

<1-99> Standard IP access-list number

<1300-1999> Standard IP access-list number (expanded range)

WORD Access-list name

CSRv(config)#ip access-list standard DYNAMIC_NAT

CSRv(config-std-nacl)#?

Standard Access List configuration commands:

<1-2147483647> Sequence Number

default Set a command to its defaults

deny Specify packets to reject

exit Exit from access-list configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

remark Access list entry comment

CSRv(config-std-nacl)#permit ?

Hostname or A.B.C.D Address to match

any Any source host

host A single host address

CSRv(config-std-nacl)#permit 10.1.1.0 ?

A.B.C.D Wildcard bits

log Log matches against this entry

<cr>

CSRv(config-std-nacl)#permit 10.1.1.0 0.0.0.255

Configure a NAT pool that will use a single translated IP address of 192.168.1.201.

CSRv(config)#ip nat pool ?

WORD Pool name

CSRv(config)#ip nat pool NAT_POOL ?

A.B.C.D Start IP address

netmask Specify the network mask

prefix-length Specify the prefix length

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 ?

A.B.C.D End IP address

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 ?

netmask Specify the network mask

prefix-length Specify the prefix length

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask ?

A.B.C.D Network mask

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask 255.255.255.0

Configure Dynamic NAT (NAT overload) for the inside network.

This would allow multiple inside hosts using a dynamic high number (ephemeral) source ports to be translated to a pool of global IP address.

CSRv(config)#ip nat inside ?

destination Destination address translation

source Source address translation

CSRv(config)#ip nat inside source ?

list Specify access list describing local addresses

route-map Specify route-map

static Specify static local->global mapping

CSRv(config)#ip nat inside source list ?

<1-2699> Access list number for local addresses

WORD Access list name for local addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT ?

interface Specify interface for global address

pool Name pool of global addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool ?

WORD Pool name for global addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool NAT_POOL ?

oer Use with vtemplate only. On new translation, if OER BR is UP, OER will select IP from

outgoing Interface. All packets matching translation are forwarded over Interface for

duration of translation.

overload Overload an address translation

redundancy NAT redundancy operation

vrf Specify vrf

<cr>

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool NAT_POOL overload

Remove the Static NAT policy and clear previous NAT translations and statistics.

Notice the global or translated IP address is now 192.168.1.201.

CSRv(config)#no ip nat inside source static 10.1.1.200 192.168.1.200

CSRv(config)#end

CSRv#

Dec 14 15:00:47.837: %SYS-5-CONFIG_I: Configured from console by admin on vty2 (192.168.1.100)

CSRv#clear ip nat ?

statistics Clear translation statistics

translation Clear dynamic translation

CSRv#clear ip nat translation ?

* Delete all dynamic translations

esp Encapsulating Security Payload

forced Delete all dynamic translations (forcefully)

inside Inside addresses (and ports)

outside Outside addresses (and ports)

redundancy Delete all dynamic translation in an RG instance (forcefullly)

tcp Transmission Control Protocol

udp User Datagram Protocol

vrf Delete all dynamic translation in a VRF instance

CSRv#clear ip nat translation *

CSRv#ping 8.8.8.8 source 10.1.1.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.200

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/14 ms

CSRv#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 192.168.1.201:1 10.1.1.200:1 8.8.8.8:1 8.8.8.8:1

Total number of translations: 1

CSRv#show ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)

Outside interfaces:

GigabitEthernet1

Inside interfaces:

Loopback1

Hits: 1361 Misses: 34

Expired translations: 17

Dynamic mappings:

-- Inside Source

[Id: 2] access-list DYNAMIC_NAT pool NAT_POOL refcount 1

pool NAT_POOL: id 1, netmask 255.255.255.0

start 192.168.1.201 end 192.168.1.201

type generic, total addresses 1, allocated 1 (100%), misses 0

nat-limit statistics:

max entry: max allowed 0, used 0, missed 0

In-to-out drops: 0 Out-to-in drops: 0

Pool stats drop: 0 Mapping stats drop: 0

Port block alloc fail: 0

IP alias add fail: 0

Enable NAT debug.

CSRv#debug ip nat ?

<1-99> Access list forced

WORD Access list name

ha High Availability debugging

CSRv#debug ip nat DYNAMIC_NAT ?

alg NAT ALG events

bind NAT dynamic translation create/delete events

detailed NAT detailed events for ACL based debugging

drop NAT Drop events

ipsec NAT IPSec events

limit NAT max-limit policy events

mapping NAT mapping create/delete events

pap NAT Paired-address-pooling events

pool NAT pool events

port NAT PORT events

route NAT Static route events

session NAT session events

wlan-nat WLAN NAT events

<cr>

CSRv#debug ip nat DYNAMIC_NAT detailed

IP NAT detailed debugging is on for access list DYNAMIC_NAT

CSRv#ping 8.8.8.8 source 10.1.1.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.200

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms

Dec 14 15:11:58.398: NAT: attempting to setup alias for 192.168.1.201 (redundancy_name , idb GigabitEthernet1, flags 0x2), rg_id 0 tableid 0 use_tableid 0

Dec 14 15:11:58.398: NAT: installing alias for address 192.168.1.201, addr_flags 0x2, tableid 0

Dec 14 15:11:58.398: NAT: insert dynamic alias 192.168.1.201, addr_flags 0x2

Dec 14 15:11:58.398: NAT: Checking for aliases needed for IPAD list update, IDB(Gi1) address(192.168.1.201) mask(255.255.255.255) type(4) tableid(0) is_delete(FALSE)

Dec 14 15:11:58.398: NAT: IPAD type(4) is not an interface(1)

Dec 14 15:11:58.399: NAT: Notify platform for ipalias address 192.168.1.201 route download

Saturday, December 21, 2019

Configuring Auto (Object) NAT on a Cisco ASA Firewall

Task 1: Configure Static NAT

Create a network object for the DMZ server (172.16.1.50) under Configuration > Firewall > Objects > Network Objects/Groups > click Add.

Type a Name: DMZ-SERVER > leave the default Type: Host > IP Version: IPv4 > type the IP Address: 172.16.1.50 > click the downward arrow to expand NAT.

Select: Add Automatic Address Translation Rules > select default Type: Static > type Translated Addr: 172.27.25.252 > click Advanced.

Select Source Interface: dmz > select Destination Interface: outside > leave the default protocol: TCP > click OK > OK.

Click Apply > Send.

To view NAT rules, go to Configuration > Firewall > NAT Rules.

Connect to the FTP server via the translated IP 172.27.25.252 from an outside host.

OUTSIDE-LINUX~]$ ftp 172.27.25.252

ftp>

To view ASA NAT statistics, issue a show nat command.

Notice the NAT table Section 2 for Auto/Object NAT policies.

LAB-ASA5515x# show nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static DMZ-SERVER 172.27.25.252

translate_hits = 98, untranslate_hits = 14

2 (inside) to (outside) source dynamic OBJ-INSIDE interface

translate_hits = 22147, untranslate_hits = 13

To view ASA NAT translations, issue a show xlate command.

Notice the flag s for static NAT.

LAB-ASA5515x# show xlate

7 in use, 25 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

NAT from dmz:172.16.1.50 to outside:172.27.25.252

flags s idle 0:06:46 timeout 0:00:00

TCP PAT from inside:192.168.1.100/54892 to outside:172.27.25.254/54892 flags ri idle 0:00:30 timeout 0:00:30

TCP PAT from inside:192.168.1.100/54889 to outside:172.27.25.254/54889 flags ri idle 0:01:47 timeout 0:00:30

TCP PAT from inside:192.168.1.100/54235 to outside:172.27.25.254/54235 flags ri idle 14:03:19 timeout 0:00:30

TCP PAT from inside:192.168.1.100/51541 to outside:172.27.25.254/51541 flags ri idle 75:16:34 timeout 0:00:30

TCP PAT from inside:192.168.1.100/51539 to outside:172.27.25.254/51539 flags ri idle 3:19:48 timeout 0:00:30

UDP PAT from inside:192.168.1.140/123 to outside:172.27.25.254/123 flags ri idle 0:08:48 timeout 0:00:30

Task 2: Configure Dynamic NAT (Hide PAT)

To add a new NAT rule for outbound connectivity for internal hosts in the 192.168.1.0/24 and translate it to the Cisco ASA outside interface, go to Configuration > Firewall > Objects > Network Objects/Groups > Add > Network Object.

Type Network Object Name: OBJ-INSIDE > select Type: Network > select IP Version: IPv4 (default) > type IP Address: 192.168.1.0 > type/select Netmask: 255.255.25.0 > expand NAT > select Add Automatic Address Translation Rules > select Type: Dynamic PAT (Hide) > select Translated Addr: outside.

Click Advanced > select Source Interface: inside > select Destination Interface: outside > click OK > OK > Apply Send.

To view the newly created Dynamic NAT (PAT) rule, go to Configuration > Firewall > NAT Rules.

Open a website in Win7 to generate traffic for the Cisco ASA Dynamic NAT (PAT) rule.

To verify Dynamic NAT statistics, ASA connections and NAT translations using the show nat <detail>, show conn <detail>, show xlate commands respectively.

LAB-ASA5515x# show nat detail

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static DMZ-SERVER 172.27.25.252

translate_hits = 126, untranslate_hits = 30

Source - Origin: 172.16.1.50/32, Translated: 172.27.25.252/32

2 (inside) to (outside) source dynamic OBJ-INSIDE interface

translate_hits = 29669, untranslate_hits = 13

Source - Origin: 192.168.1.0/24, Translated: 172.27.25.254/24

LAB-ASA5515x# show conn ?

address Enter this keyword to specify IP address

all Enter this keyword to show conns including to-the-box and

from-the-box

count Enter this keyword to show conn count only

detail Enter this keyword to show conn in detail

inline-set Enter this keyword to specify inline-set

long Enter this keyword to show conn in long format

port Enter this keyword to specify port

protocol Enter this keyword to specify conn protocol

scansafe Enter this keyword to show conns being forwarded to scansafe

server

security-group Enter this keyword to show security-group attributes in conns

state Enter this keyword to specify conn state

user Enter this keyword to specify conn user

user-group Enter this keyword to specify conn user group

user-identity Enter this keyword to show user names

zone Enter this keyword to specify zone

| Output modifiers

<cr>

LAB-ASA5515x# show conn address ?

WORD Enter an IP address or a range of IP addresses: <start>[-<end>]

Enter an IPv6 address/prefix or range: <start>[-<end>]

LAB-ASA5515x# show conn address 192.168.1.130

12 in use, 33 most used

UDP outside 172.217.25.9:443 inside 192.168.1.130:57092, idle 0:01:53, bytes 229633, flags -

UDP outside 172.217.26.129:443 inside 192.168.1.130:57286, idle 0:01:57, bytes 663581, flags -

UDP outside 172.217.25.3:443 inside 192.168.1.130:52795, idle 0:01:50, bytes 9629, flags

Notice the flags ri for Dynamic NAT translations.

LAB-ASA5515x# show xlate

11 in use, 31 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

NAT from dmz:172.16.1.50 to outside:172.27.25.252

flags s idle 64:55:51 timeout 0:00:00

TCP PAT from inside:192.168.1.130/49245 to outside:172.27.25.254/49245 flags ri idle 0:00:01 timeout 0:00:30

UDP PAT from inside:192.168.1.130/50053 to outside:172.27.25.254/50053 flags ri idle 0:00:06 timeout 0:00:30

UDP PAT from inside:192.168.1.130/50052 to outside:172.27.25.254/50052 flags ri idle 0:00:06 timeout 0:00:30

UDP PAT from inside:192.168.1.130/60286 to outside:172.27.25.254/60286 flags ri idle 0:01:49 timeout 0:00:30

TCP PAT from inside:192.168.1.130/49238 to outside:172.27.25.254/49238 flags ri idle 0:02:03 timeout 0:00:30

Sunday, December 15, 2019

Configuring Layer 3 Data Plane Security on a Cisco IOS Router and ASA Firewall

I was craving for Filipino food, so I took my family to Islas Pinas in Pasay City, Philippines (near SM Mall of Asia). The buffet was reasonably priced and the highlights for me were the salmon sinigang, pancit, pork lechon and traditional desserts such as the halo-halo, kamote cue and ginataang mais.

The food hall is very spacious and they've got mini version of tourist spots around the Philippines such as the Banaue Rice Terraces and Intramuros. They also showcase pinoy icons like the jeepney, bahay kubo and sari-sari store. Not too far away is DreamPlay located in City of Dreams Manila, where my daughter (Sophia) played and had fun activities in the indoor theme park.

Task 1: Configure uRPF on the Cisco IOS Router

Open a terminal in Kali Linux (192.168.1.110) and issue an nping to perfrom an IP spoofing attack by pinging CSRv WAN IP address 192.168.1.140 using a spoof source IP 10.1.1.20 (CSRv LAN IP).

root@kali:~# nping 192.168.1.140 -S 10.1.1.20

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 02:13 EST

SENT (0.0504s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=1] IP [ttl=64 id=14042 iplen=28 ]

SENT (1.0522s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=2] IP [ttl=64 id=14042 iplen=28 ]

SENT (2.0538s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=3] IP [ttl=64 id=14042 iplen=28 ]

SENT (3.0564s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=4] IP [ttl=64 id=14042 iplen=28 ]

SENT (4.0585s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=5] IP [ttl=64 id=14042 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A

Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)

Nping done: 1 IP address pinged in 5.10 seconds

Configure unicast Reverse Path Forwarding (uRPF) on both the CSRv WAN and LAN interfaces.

CSRv(config)#interface g1

CSRv(config-if)#ip verify ?

unicast Enable per packet validation for unicast

CSRv(config-if)#ip verify unicast ?

notification drop-rate notify

reverse-path Reverse path validation of source address (old command format)

source Validation of source address

CSRv(config-if)#ip verify unicast source ?

reachable-via Specify reachability check to apply to the source address

CSRv(config-if)#ip verify unicast source reachable-via ?

any Source is reachable via any interface

rx Source is reachable via interface on which packet was received

CSRv(config-if)#ip verify unicast source reachable-via rx ?

<1-199> IP access list (standard or extended)

<1300-2699> IP expanded access list (standard or extended)

allow-default Allow default route to match when checking source address

allow-self-ping Allow router to ping itself (opens vulnerability in verification)

l2-src Check packets arrive with correct L2 source address

<cr>

CSRv(config-if)#ip verify unicast source reachable-via rx allow-default

CSRv(config)#interface loopback1

CSRv(config-if)#ip verify unicast source ?

reachable-via Specify reachability check to apply to the source address

CSRv(config-if)#ip verify unicast source reachable-via ?

any Source is reachable via any interface

rx Source is reachable via interface on which packet was received

CSRv(config-if)#ip verify unicast source reachable-via rx

Run nping to launch again the IP spoofing attack. Verify uRPF statistics using the show ip interface command.

Notice the verification drops has incremented.

CSRv#show ip interface g1

GigabitEthernet1 is up, line protocol is up

Internet address is 192.168.1.140/24

Broadcast address is 255.255.255.255

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing Common access list is not set

Outgoing access list is not set

Inbound Common access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP Null turbo vector

Associated unicast routing topologies:

Topology "base", operation state is UP

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Probe proxy name replies are disabled

Policy routing is disabled

Network address translation is enabled, interface in domain outside

BGP Policy Mapping is disabled

Input features: Virtual Fragment Reassembly, uRPF, NAT Outside, MCI Check

Output features: Post-routing NAT Outside

IPv4 WCCP Redirect outbound is disabled

IPv4 WCCP Redirect inbound is disabled

IPv4 WCCP Redirect exclude is disabled

IP verify source reachable-via RX, allow default

10 verification drops

0 suppressed verification drops

0 verification drop-rate

Task 2: Configure uRPF on the Cisco ASA

Run nping and ping the DMZ server 172.16.1.50 using a spoof source IP of 172.16.1.100.

oot@kali:~# nping 172.16.1.50 -S 172.16.1.100

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 03:54 EST

SENT (0.0382s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=1] IP [ttl=64 id=17914 iplen=28 ]

SENT (1.0391s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=2] IP [ttl=64 id=17914 iplen=28 ]

SENT (2.0407s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=3] IP [ttl=64 id=17914 iplen=28 ]

SENT (3.0425s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=4] IP [ttl=64 id=17914 iplen=28 ]

SENT (4.0442s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=5] IP [ttl=64 id=17914 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A

Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)

Nping done: 1 IP address pinged in 5.13 seconds

Configure uRPF on the Cisco ASA firewall under Configuration > Firewall > Advanced > Anti-Spoofing.

Select the Interfaces: dmz, inside, outside > click Enable > Apply > Send.

Launch the ASA Real-time Log View under Monitoring > Logging > Real-Time Log Viewer > View.

Run nping again to launch an IP spoofing attack.

root@kali:~# nping 172.16.1.50 -S 172.16.1.100

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 03:56 EST

SENT (0.0470s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=1] IP [ttl=64 id=19503 iplen=28 ]

SENT (1.0483s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=2] IP [ttl=64 id=19503 iplen=28 ]

SENT (2.0504s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=3] IP [ttl=64 id=19503 iplen=28 ]

SENT (3.0520s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=4] IP [ttl=64 id=19503 iplen=28 ]

SENT (4.0577s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=5] IP [ttl=64 id=19503 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A

Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)

Nping done: 1 IP address pinged in 5.10 seconds

Notice the spoofed ICMP packets were denied due to uRPF check.