Saturday, December 28, 2019

Configure Static and Dynamic (PAT) on a Cisco IOS Router

Task 1: Configure Static NAT


Configure NAT outside on interface Gig1 (WAN) and NAT inside on Loopback1 (LAN).

CSRv#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       192.168.1.140   YES NVRAM  up                    up     
GigabitEthernet2       unassigned      YES NVRAM  administratively down down   
Loopback1              10.1.1.200      YES manual up                    up  

CSRv#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
CSRv(config)#interface g1
CSRv(config-if)#ip nat ?  
  allow-static-host  Allow static-ip clients
  inside             Inside interface for address translation
  outside            Outside interface for address translation

CSRv(config-if)#ip nat outside
CSRv(config-if)#interface loopback1
CSRv(config-if)#ip nat inside


Configure a Static NAT (one-to-one) translation for the internal host 10.1.1.200 (web server) to the mapped/translated IP address 192.168.1.200.

CSRv(config)#ip nat ? 
  create       Create flow entries
  inside       Inside address translation
  log          NAT Logging
  name         Rule name
  outside      Outside address translation
  pool         Define pool of addresses
  service      Special translation for application using non-standard port
  settings     NAT general settings
  switchover   NAT datapath switchover
  translation  NAT translation entry configuration

CSRv(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

CSRv(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

CSRv(config)#ip nat inside source static ?
  A.B.C.D  Inside local IP address
  esp      IPSec-ESP (Tunnel mode) support
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

CSRv(config)#ip nat inside source static 10.1.1.200 ?  
  A.B.C.D    Inside global IP address
  interface  Specify interface for global address

CSRv(config)#ip nat inside source static 10.1.1.200 192.168.1.200


Configure HTTP (web) server on the CSRv router.

CSRv(config)#ip http ?
  HSTS-Header                    Enable HTTP secure server HSTS header
  access-class                   Restricted http server access by access-class
  active-session-modules         Set up active http server session modules
  auth-retry                     Maximum number of authentication retry attempt
  authentication                 Set http server authentication method
  banner                         Enable http server banner
  banner-path                    HTML Banner Path
  client                         Set http client parameters
  digest                         Set http digest parameters
  help-path                      HTML help root URL
  max-connections                Set maximum number of concurrent http server connections
  path                           Set base path for HTML
  port                           Set http server port
  secure-active-session-modules  Set up active http secure server session modules
  secure-ciphersuite             Set http secure server ciphersuite
  secure-client-auth             Set http secure server with client authentication
  secure-port                    Set http secure server port number for listening
  secure-server                  Enable HTTP secure server
  secure-trustpoint              Set http secure server certificate trustpoint
  server                         Enable http server
  session-idle-timeout           Set http server session idle timeout
  session-module-list            Set up a http(s) server session module list
  timeout-policy                 Set http server time-out policy parameters
  tls-version                    Set TLS version for HTTP secure server
  upload                         File upload

CSRv(config)#ip http server


Access the web server (10.1.1.200) from the management PC (192.168.1.100).


Verify active NAT translations and statistics on the using the show ip nat translations and show ip nat statistics commands.

CSRv#show ip nat ?
  bpa           Bulk Port Allocation information
  limits        Limit statistics
  pool          Pool and port statistics
  portblock     TCP/UDP port blocks allocated for NAT
  statistics    Translation statistics
  translations  Translation entries

CSRv#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
---  192.168.1.200         10.1.1.200            ---                   ---
tcp  192.168.1.200:80      10.1.1.200:80         192.168.1.100:52285   192.168.1.100:52285
Total number of translations: 2

CSRv#show ip nat statistics  
Total active translations: 1 (1 static, 0 dynamic; 1 extended)
Outside interfaces:
  GigabitEthernet1
Inside interfaces:
  Loopback1
Hits: 650  Misses: 14
Expired translations: 13
Dynamic mappings:
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0


Task 2: Configure Dynamic NAT (with PAT)

Configure a Standard Named ACL for the source/interesting traffic from the 10.1.1.0/24 LAN subnet.

CSRv(config)#ip access-list ? 
  extended             Extended Access List
  helper               Access List acts on helper-address
  log-update           Control access list log updates
  logging              Control access list logging
  match-local-traffic  Enable ACL matching for locally generated traffic
  persistent           enable persistency across reload
  resequence           Resequence Access List
  role-based           Role-based Access List
  standard             Standard Access List

CSRv(config)#ip access-list standard ?
  <1-99>       Standard IP access-list number
  <1300-1999>  Standard IP access-list number (expanded range)
  WORD         Access-list name

CSRv(config)#ip access-list standard DYNAMIC_NAT
CSRv(config-std-nacl)#?    
Standard Access List configuration commands:
  <1-2147483647>  Sequence Number
  default         Set a command to its defaults
  deny            Specify packets to reject
  exit            Exit from access-list configuration mode
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment

CSRv(config-std-nacl)#permit ?
  Hostname or A.B.C.D  Address to match
  any                  Any source host
  host                 A single host address

CSRv(config-std-nacl)#permit 10.1.1.0 ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>

CSRv(config-std-nacl)#permit 10.1.1.0 0.0.0.255


Configure a NAT pool that will use a single translated IP address of 192.168.1.201.

CSRv(config)#ip nat pool ?
  WORD  Pool name

CSRv(config)#ip nat pool NAT_POOL ?
  A.B.C.D        Start IP address
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 ?
  A.B.C.D  End IP address

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 ?
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask ?
  A.B.C.D  Network mask

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask 255.255.255.0


Configure Dynamic NAT (NAT overload) for the inside network. 

This would allow multiple inside hosts using a dynamic high number (ephemeral) source ports to be translated to a pool of global IP address.

CSRv(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

CSRv(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

CSRv(config)#ip nat inside source list ?
  <1-2699>  Access list number for local addresses
  WORD      Access list name for local addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool ?
  WORD  Pool name for global addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool NAT_POOL ?
  oer         Use with vtemplate only.  On new translation, if OER BR is UP, OER will select IP from
              outgoing Interface.  All packets matching translation are forwarded over Interface for
              duration of translation.
  overload    Overload an address translation
  redundancy  NAT redundancy operation
  vrf         Specify vrf
  <cr>

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool NAT_POOL overload


Remove the Static NAT policy and clear previous NAT translations and statistics.

Notice the global or translated IP address is now 192.168.1.201.

CSRv(config)#no ip nat inside source static 10.1.1.200 192.168.1.200
CSRv(config)#end
CSRv#
Dec 14 15:00:47.837: %SYS-5-CONFIG_I: Configured from console by admin on vty2 (192.168.1.100)
CSRv#clear ip nat ?
  statistics   Clear translation statistics
  translation  Clear dynamic translation

CSRv#clear ip nat translation ?
  *           Delete all dynamic translations
  esp         Encapsulating Security Payload
  forced      Delete all dynamic translations (forcefully)
  inside      Inside addresses (and ports)
  outside     Outside addresses (and ports)
  redundancy  Delete all dynamic translation in an RG instance (forcefullly)
  tcp         Transmission Control Protocol
  udp         User Datagram Protocol
  vrf         Delete all dynamic translation in a VRF instance

CSRv#clear ip nat translation *

CSRv#ping 8.8.8.8 source 10.1.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/14 ms

CSRv#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
icmp 192.168.1.201:1       10.1.1.200:1          8.8.8.8:1             8.8.8.8:1
Total number of translations: 1

CSRv#show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
  GigabitEthernet1
Inside interfaces:
  Loopback1
Hits: 1361  Misses: 34
Expired translations: 17
Dynamic mappings:
-- Inside Source
[Id: 2] access-list DYNAMIC_NAT pool NAT_POOL refcount 1
 pool NAT_POOL: id 1, netmask 255.255.255.0
        start 192.168.1.201 end 192.168.1.201
        type generic, total addresses 1, allocated 1 (100%), misses 0
nat-limit statistics:
 max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0  Out-to-in drops: 0
Pool stats drop: 0  Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0


Enable NAT debug.

CSRv#debug ip nat ?
  <1-99>  Access list forced
  WORD    Access list name
  ha      High Availability debugging

CSRv#debug ip nat DYNAMIC_NAT ?
  alg       NAT ALG events
  bind      NAT dynamic translation create/delete events
  detailed  NAT detailed events for ACL based debugging
  drop      NAT Drop events
  ipsec     NAT IPSec events
  limit     NAT max-limit policy events
  mapping   NAT mapping create/delete events
  pap       NAT Paired-address-pooling events
  pool      NAT pool events
  port      NAT PORT events
  route     NAT Static route events
  session   NAT session events
  wlan-nat  WLAN NAT events
  <cr>

CSRv#debug ip nat DYNAMIC_NAT detailed
IP NAT detailed debugging is on for access list DYNAMIC_NAT

CSRv#ping 8.8.8.8 source 10.1.1.200  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms

Dec 14 15:11:58.398: NAT: attempting to setup alias for 192.168.1.201 (redundancy_name , idb GigabitEthernet1, flags 0x2), rg_id 0 tableid 0 use_tableid 0
Dec 14 15:11:58.398: NAT: installing alias for address 192.168.1.201, addr_flags 0x2, tableid 0
Dec 14 15:11:58.398: NAT: insert dynamic alias 192.168.1.201, addr_flags 0x2
Dec 14 15:11:58.398: NAT: Checking for aliases needed for IPAD list update, IDB(Gi1) address(192.168.1.201) mask(255.255.255.255) type(4) tableid(0) is_delete(FALSE)
Dec 14 15:11:58.398: NAT: IPAD type(4) is not an interface(1)
Dec 14 15:11:58.399: NAT: Notify platform for ipalias address 192.168.1.201 route download

Saturday, December 21, 2019

Configuring Auto (Object) NAT on a Cisco ASA Firewall

Task 1: Configure Static NAT


Create a network object for the DMZ server (172.16.1.50) under Configuration > Firewall > Objects > Network Objects/Groups > click Add.



Type a Name: DMZ-SERVER > leave the default Type: Host > IP Version: IPv4 > type the IP Address: 172.16.1.50 > click the downward arrow to expand NAT.


Select: Add Automatic Address Translation Rules > select default Type: Static > type Translated Addr: 172.27.25.252 > click Advanced.


Select Source Interface: dmz > select Destination Interface: outside > leave the default protocol: TCP > click OK > OK.


Click Apply > Send.



To view NAT rules, go to Configuration > Firewall > NAT Rules.


Connect to the FTP server via the translated IP 172.27.25.252 from an outside host.

OUTSIDE-LINUX~]$ ftp 172.27.25.252
ftp>


To view ASA NAT statistics, issue a show nat command.

Notice the NAT table Section 2 for Auto/Object NAT policies.

LAB-ASA5515x# show nat

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static DMZ-SERVER 172.27.25.252
    translate_hits = 98, untranslate_hits = 14
2 (inside) to (outside) source dynamic OBJ-INSIDE interface
    translate_hits = 22147, untranslate_hits = 13


To view ASA NAT translations, issue a show xlate command.

Notice the flag s for static NAT.

LAB-ASA5515x# show xlate
7 in use, 25 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from dmz:172.16.1.50 to outside:172.27.25.252
    flags s idle 0:06:46 timeout 0:00:00

TCP PAT from inside:192.168.1.100/54892 to outside:172.27.25.254/54892 flags ri idle 0:00:30 timeout 0:00:30
TCP PAT from inside:192.168.1.100/54889 to outside:172.27.25.254/54889 flags ri idle 0:01:47 timeout 0:00:30
TCP PAT from inside:192.168.1.100/54235 to outside:172.27.25.254/54235 flags ri idle 14:03:19 timeout 0:00:30
TCP PAT from inside:192.168.1.100/51541 to outside:172.27.25.254/51541 flags ri idle 75:16:34 timeout 0:00:30
TCP PAT from inside:192.168.1.100/51539 to outside:172.27.25.254/51539 flags ri idle 3:19:48 timeout 0:00:30
UDP PAT from inside:192.168.1.140/123 to outside:172.27.25.254/123 flags ri idle 0:08:48 timeout 0:00:30


Task 2: Configure Dynamic NAT (Hide PAT)

To add a new NAT rule for outbound connectivity for internal hosts in the 192.168.1.0/24 and translate it to the Cisco ASA outside interface, go to Configuration > Firewall > Objects > Network Objects/Groups > Add > Network Object.

Type Network Object Name: OBJ-INSIDE > select Type: Network > select IP Version: IPv4 (default) > type IP Address: 192.168.1.0 > type/select Netmask: 255.255.25.0 > expand NAT > select Add Automatic Address Translation Rules > select Type: Dynamic PAT (Hide) > select Translated Addr: outside.


Click Advanced > select Source Interface: inside > select Destination Interface: outside > click OK > OK > Apply Send.


To view the newly created Dynamic NAT (PAT) rule, go to Configuration > Firewall > NAT Rules.


Open a website in Win7 to generate traffic for the Cisco ASA Dynamic NAT (PAT) rule.


To verify Dynamic NAT statistics, ASA connections and NAT translations using the show nat <detail>, show conn <detail>, show xlate commands respectively.

LAB-ASA5515x# show nat detail

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static DMZ-SERVER 172.27.25.252
    translate_hits = 126, untranslate_hits = 30
    Source - Origin: 172.16.1.50/32, Translated: 172.27.25.252/32
2 (inside) to (outside) source dynamic OBJ-INSIDE interface
    translate_hits = 29669, untranslate_hits = 13
    Source - Origin: 192.168.1.0/24, Translated: 172.27.25.254/24

LAB-ASA5515x# show conn ?

  address         Enter this keyword to specify IP address
  all             Enter this keyword to show conns including to-the-box and
                  from-the-box
  count           Enter this keyword to show conn count only
  detail          Enter this keyword to show conn in detail
  inline-set      Enter this keyword to specify inline-set
  long            Enter this keyword to show conn in long format
  port            Enter this keyword to specify port
  protocol        Enter this keyword to specify conn protocol
  scansafe        Enter this keyword to show conns being forwarded to scansafe
                  server
  security-group  Enter this keyword to show security-group attributes in conns
  state           Enter this keyword to specify conn state
  user            Enter this keyword to specify conn user
  user-group      Enter this keyword to specify conn user group
  user-identity   Enter this keyword to show user names
  zone            Enter this keyword to specify zone
  |               Output modifiers
  <cr>
LAB-ASA5515x# show conn address ?

  WORD  Enter an IP address or a range of IP addresses: <start>[-<end>]
        Enter an IPv6 address/prefix or range: <start>[-<end>]

LAB-ASA5515x# show conn address 192.168.1.130
12 in use, 33 most used

UDP outside  172.217.25.9:443 inside  192.168.1.130:57092, idle 0:01:53, bytes 229633, flags -
UDP outside  172.217.26.129:443 inside  192.168.1.130:57286, idle 0:01:57, bytes 663581, flags -
UDP outside  172.217.25.3:443 inside  192.168.1.130:52795, idle 0:01:50, bytes 9629, flags


Notice the flags ri for Dynamic NAT translations.

LAB-ASA5515x# show xlate
11 in use, 31 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from dmz:172.16.1.50 to outside:172.27.25.252
    flags s idle 64:55:51 timeout 0:00:00

TCP PAT from inside:192.168.1.130/49245 to outside:172.27.25.254/49245 flags ri idle 0:00:01 timeout 0:00:30
UDP PAT from inside:192.168.1.130/50053 to outside:172.27.25.254/50053 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside:192.168.1.130/50052 to outside:172.27.25.254/50052 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside:192.168.1.130/60286 to outside:172.27.25.254/60286 flags ri idle 0:01:49 timeout 0:00:30
TCP PAT from inside:192.168.1.130/49238 to outside:172.27.25.254/49238 flags ri idle 0:02:03 timeout 0:00:30

Sunday, December 15, 2019

Configuring Layer 3 Data Plane Security on a Cisco IOS Router and ASA Firewall

I was craving for Filipino food, so I took my family to Islas Pinas in Pasay City, Philippines (near SM Mall of Asia). The buffet was reasonably priced and the highlights for me were the salmon sinigang, pancit, pork lechon and traditional desserts such as the halo-halo, kamote cue and ginataang mais.

The food hall is very spacious and they've got mini version of tourist spots around the Philippines such as the Banaue Rice Terraces and Intramuros. They also showcase pinoy icons like the jeepney, bahay kubo and sari-sari store. Not too far away is DreamPlay located in City of Dreams Manila, where my daughter (Sophia) played and had fun activities in the indoor theme park.





Task 1: Configure uRPF on the Cisco IOS Router


Open a terminal in Kali Linux (192.168.1.110) and issue an nping to perfrom an IP spoofing attack by pinging CSRv WAN IP address 192.168.1.140 using a spoof source IP 10.1.1.20 (CSRv LAN IP).

root@kali:~# nping 192.168.1.140 -S 10.1.1.20

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 02:13 EST
SENT (0.0504s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=1] IP [ttl=64 id=14042 iplen=28 ]
SENT (1.0522s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=2] IP [ttl=64 id=14042 iplen=28 ]
SENT (2.0538s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=3] IP [ttl=64 id=14042 iplen=28 ]
SENT (3.0564s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=4] IP [ttl=64 id=14042 iplen=28 ]
SENT (4.0585s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=5] IP [ttl=64 id=14042 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping done: 1 IP address pinged in 5.10 seconds


Configure unicast Reverse Path Forwarding (uRPF) on both the CSRv WAN and LAN interfaces.

CSRv(config)#interface g1
CSRv(config-if)#ip verify ?
  unicast  Enable per packet validation for unicast

CSRv(config-if)#ip verify unicast ?
  notification  drop-rate notify
  reverse-path  Reverse path validation of source address (old command format)
  source        Validation of source address

CSRv(config-if)#ip verify unicast source ?
  reachable-via  Specify reachability check to apply to the source address

CSRv(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received

CSRv(config-if)#ip verify unicast source reachable-via rx ?
  <1-199>          IP access list (standard or extended)
  <1300-2699>      IP expanded access list (standard or extended)
  allow-default    Allow default route to match when checking source address
  allow-self-ping  Allow router to ping itself (opens vulnerability in verification)
  l2-src           Check packets arrive with correct L2 source address
  <cr>

CSRv(config-if)#ip verify unicast source reachable-via rx allow-default

CSRv(config)#interface loopback1
CSRv(config-if)#ip verify unicast source ?
  reachable-via  Specify reachability check to apply to the source address

CSRv(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received

CSRv(config-if)#ip verify unicast source reachable-via rx


Run nping to launch again the IP spoofing attack. Verify uRPF statistics using the show ip interface command.

Notice the verification drops has incremented.

CSRv#show ip interface g1
GigabitEthernet1 is up, line protocol is up
  Internet address is 192.168.1.140/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing Common access list is not set
  Outgoing access list is not set
  Inbound Common access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  Associated unicast routing topologies:
        Topology "base", operation state is UP
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Virtual Fragment Reassembly, uRPF, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled
  IP verify source reachable-via RX, allow default
   10 verification drops
   0 suppressed verification drops
   0 verification drop-rate


Task 2: Configure uRPF on the Cisco ASA

Run nping and ping the DMZ server 172.16.1.50 using a spoof source IP of 172.16.1.100.

oot@kali:~# nping 172.16.1.50 -S 172.16.1.100

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 03:54 EST
SENT (0.0382s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=1] IP [ttl=64 id=17914 iplen=28 ]
SENT (1.0391s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=2] IP [ttl=64 id=17914 iplen=28 ]
SENT (2.0407s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=3] IP [ttl=64 id=17914 iplen=28 ]
SENT (3.0425s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=4] IP [ttl=64 id=17914 iplen=28 ]
SENT (4.0442s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=5] IP [ttl=64 id=17914 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping done: 1 IP address pinged in 5.13 seconds


Configure uRPF on the Cisco ASA firewall under Configuration > Firewall > Advanced > Anti-Spoofing.


Select the Interfaces: dmz, inside, outside > click Enable > Apply > Send.



Launch the ASA Real-time Log View under Monitoring > Logging > Real-Time Log Viewer > View.


Run nping again to launch an IP spoofing attack.

root@kali:~# nping 172.16.1.50 -S 172.16.1.100

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 03:56 EST
SENT (0.0470s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=1] IP [ttl=64 id=19503 iplen=28 ]
SENT (1.0483s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=2] IP [ttl=64 id=19503 iplen=28 ]
SENT (2.0504s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=3] IP [ttl=64 id=19503 iplen=28 ]
SENT (3.0520s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=4] IP [ttl=64 id=19503 iplen=28 ]
SENT (4.0577s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=5] IP [ttl=64 id=19503 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping done: 1 IP address pinged in 5.10 seconds


Notice the spoofed ICMP packets were denied due to uRPF check.