06-14-2007 06:57 PM - edited 03-05-2019 04:44 PM
Hi,
When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does not belong to out local network. See attached.
192.168.1.0/24 does not belong to any of our user, static route (we don't use dynamic protocol) nor this is a configure interface on the router.
Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to deny ip 192.168.1.0 0.0.0.255 any any
06-14-2007 07:59 PM
Hi
The best way and also as you desire in dealing with this would be tweaking the access-list attached to the NAT statement..
Do deny the ip block which is not required to access the pool and permit the remaining blocks..
regds
06-14-2007 08:05 PM
Try putting a sniffer onto the Router inside VLAN & do a capture. You will ge more info
What have you defined for your Inside pool ?
Is it 0.0.0.0 ?
I suggest that you define only your internal networks. By this the router will NAT only the required IPs from your LAN.
06-14-2007 10:01 PM
Thanks for the replies.
The NAL pool is now secure with only specific network addresses permitted to use the NAT.
Apart from 192.168.1.0/24 we use the rest of the network.
remark PERMIT IP ACCESS FOR CLIENT NETWORK
deny ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any
Although, I would still like to know where is network is coming from and how this unknown user got to use out Internet without have any connected interface to that specific /24 block.
06-14-2007 10:17 PM
if there is a single subnet in your office, try assigning a static IP from that pool & then try to ping that machine with the command
ping -a 192.168.1.X
it should resolve tho hostname if it is a windows machine
If there are multiple VLANs try putting ethereal randomly in the VLANs & see where the packet for 192.168.1.x is coming from
HTH please rate all useful posts
06-17-2007 09:12 PM
Hi,
The network 192.168.1.x/24 does not exist in our local network but is still showing up as inside local.
--- 203.215.141.251 192.168.1.11 --- ---
tcp 203.215.141.253:139 192.168.1.111:139 222.92.124.22:6000 222.92.124.22:6000
--- 203.215.141.253 192.168.1.111 --- ---
--- 203.215.141.250 192.168.1.118 --- ---
--- 203.215.141.252 192.168.1.120 --- ---
tcp 203.215.141.254:139 192.168.1.134:139 222.92.124.22:6000 222.92.124.22:6000
--- 203.215.141.254 192.168.1.134 --- ---
After reading some of the logs, I think but not 100% sure, this is TCP SYN Flooding Attacks. It has the same symptoms describe in the Cisco doco "target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It is also possible for the traffic that returns from the target host to cause trouble on routers"
Any ideas?
Thanks
06-18-2007 01:18 AM
This is an obvious configuration issue.
Please post the running-config. If you're concerned about security, change your WAN IPs.
Regards
Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide