Private IP address showing up in PIX log - how to find it

tffmaguire · ‎12-07-2007

I've just turned on logging on our PIX 525 6.3(4) and discovered numerous same entries:

No translation group found for icmp src inside:192.168.1.245 dst outside:192.168.1.255 (type 8, code 0)

Does anyone have an idea on how to find the 192.168 address ?

The above error message is constantly being generated.

Can I assume its on the same subnet as my PIX ?

The PIX is connected to a 3750E switch, which functions as our CORE switch in the data center.

We don't do any NAT or block any outbound traffic. Not an ideal setup, but I've inherited this configuration.

Thanks for any ideas.

Tom

Jon Marshall · ‎12-07-2007

Tom

Is 192.168.1.245 an address that is out of your internal LAN ? In addtion which device does the routing for that subnet.

On the L3 device that routes for that subnet do a

1) "sh arp" - this will show you the IP to mac-address mappings.

2) Get the mac-address and on the switch run

"sh mac-address-table address "mac address"

This should tell you which port it is connected to. You should then be able to track that back to the floor port of the machine.

Jon

tffmaguire · ‎12-07-2007

Thanks Jon for the response.

"Is 192.168.1.245 an address that is out of your internal LAN ? In addtion which device does the routing for that subnet."

This address is not part of our Internal LAN.

We own a Public Class B address space, so we have no need for private IP's. Our address space is broken into fixed Class C's. (No VLSM's). The PIX and 3750 switch are in the same subnet.

192.168.1.0 does not show up in any routing tables.

If I could get the Mac address, I have tools that will pin point it to a port.

The reason I think the address is somewhere in our building is that the private address is non-routable and could not get to the PIX from another subnet. (I think).

One option is to to come in early some morning and shut down individual interfaces on the 3750E one at a time until the PIX stops logging the entry.

Thanks Again.

Tom

Jon Marshall · ‎12-07-2007

Tom

Just a quick check. Do you allow "ip directed-broadcasts" on any of your L3 interfaces as 192.168.1.255 is a directed broadcast which may mean it is coming from another of your subnets.

Jon

tffmaguire · ‎12-07-2007

Jon -

Good idea. I just checked my config and displayed "sho ip int"; which confirmed I didn't have that option enabled.

I'll continue my sleuthing activity and close the discussion.

I appreciate your assistance and ideas.

Tom

Michael Odom · ‎12-07-2007

If your routing table does not have the 192.168.x.x address, unless your routers have unicast RPF checking enabled or ACL's preventing this, the traffic will follow your default route. Of course, no traffic will be able to get back to the host sending this traffic, but it will be able to send traffic to just about any address until it runs into a filter or a device that performs a reverse-path check.

Turning off ip directed-broadcast (it is off by default now) only prevents the router from sending it out as a L2 broadcast, but does not necessarily stop the router from forwarding the packet.

Check out http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html#wp1086004 for the unicast RPF check.

srue · ‎12-07-2007

this will sound weird, but do you have a Linksys wireless WAP54G on your network somewhere?

their default address is 192.168.1.245.

tffmaguire · ‎12-11-2007

Thanks Michael.

Your response and link were very helpful.

Tom