sh ip nat translations

Unanswered Question
Jun 14th, 2007
User Badges:

Hi,

When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does not belong to out local network. See attached.


192.168.1.0/24 does not belong to any of our user, static route (we don't use dynamic protocol) nor this is a configure interface on the router.


Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to deny ip 192.168.1.0 0.0.0.255 any any



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Thu, 06/14/2007 - 19:59
User Badges:
  • Red, 2250 points or more

Hi


The best way and also as you desire in dealing with this would be tweaking the access-list attached to the NAT statement..


Do deny the ip block which is not required to access the pool and permit the remaining blocks..



regds


anandramapathy Thu, 06/14/2007 - 20:05
User Badges:
  • Bronze, 100 points or more

Try putting a sniffer onto the Router inside VLAN & do a capture. You will ge more info


What have you defined for your Inside pool ?

Is it 0.0.0.0 ?

I suggest that you define only your internal networks. By this the router will NAT only the required IPs from your LAN.



Peter Valdes Thu, 06/14/2007 - 22:01
User Badges:

Thanks for the replies.

The NAL pool is now secure with only specific network addresses permitted to use the NAT.

Apart from 192.168.1.0/24 we use the rest of the network.


remark PERMIT IP ACCESS FOR CLIENT NETWORK

deny ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.0.0 0.0.255.255 any


Although, I would still like to know where is network is coming from and how this unknown user got to use out Internet without have any connected interface to that specific /24 block.



anandramapathy Thu, 06/14/2007 - 22:17
User Badges:
  • Bronze, 100 points or more

if there is a single subnet in your office, try assigning a static IP from that pool & then try to ping that machine with the command


ping -a 192.168.1.X


it should resolve tho hostname if it is a windows machine


If there are multiple VLANs try putting ethereal randomly in the VLANs & see where the packet for 192.168.1.x is coming from


HTH please rate all useful posts

Peter Valdes Sun, 06/17/2007 - 21:12
User Badges:

Hi,

The network 192.168.1.x/24 does not exist in our local network but is still showing up as inside local.


--- 203.215.141.251 192.168.1.11 --- ---

tcp 203.215.141.253:139 192.168.1.111:139 222.92.124.22:6000 222.92.124.22:6000

--- 203.215.141.253 192.168.1.111 --- ---

--- 203.215.141.250 192.168.1.118 --- ---

--- 203.215.141.252 192.168.1.120 --- ---

tcp 203.215.141.254:139 192.168.1.134:139 222.92.124.22:6000 222.92.124.22:6000

--- 203.215.141.254 192.168.1.134 --- ---


After reading some of the logs, I think but not 100% sure, this is TCP SYN Flooding Attacks. It has the same symptoms describe in the Cisco doco "target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It is also possible for the traffic that returns from the target host to cause trouble on routers"


Any ideas?

Thanks

Timor_SSS Mon, 06/18/2007 - 01:18
User Badges:

This is an obvious configuration issue.

Please post the running-config. If you're concerned about security, change your WAN IPs.


Regards


Tim

Actions

This Discussion