12-07-2007 09:17 AM - edited 03-11-2019 04:40 AM
I've just turned on logging on our PIX 525 6.3(4) and discovered numerous same entries:
No translation group found for icmp src inside:192.168.1.245 dst outside:192.168.1.255 (type 8, code 0)
Does anyone have an idea on how to find the 192.168 address ?
The above error message is constantly being generated.
Can I assume its on the same subnet as my PIX ?
The PIX is connected to a 3750E switch, which functions as our CORE switch in the data center.
We don't do any NAT or block any outbound traffic. Not an ideal setup, but I've inherited this configuration.
Thanks for any ideas.
Tom
12-07-2007 09:40 AM
Tom
Is 192.168.1.245 an address that is out of your internal LAN ? In addtion which device does the routing for that subnet.
On the L3 device that routes for that subnet do a
1) "sh arp" - this will show you the IP to mac-address mappings.
2) Get the mac-address and on the switch run
"sh mac-address-table address "mac address"
This should tell you which port it is connected to. You should then be able to track that back to the floor port of the machine.
Jon
12-07-2007 09:58 AM
Thanks Jon for the response.
"Is 192.168.1.245 an address that is out of your internal LAN ? In addtion which device does the routing for that subnet."
This address is not part of our Internal LAN.
We own a Public Class B address space, so we have no need for private IP's. Our address space is broken into fixed Class C's. (No VLSM's). The PIX and 3750 switch are in the same subnet.
192.168.1.0 does not show up in any routing tables.
If I could get the Mac address, I have tools that will pin point it to a port.
The reason I think the address is somewhere in our building is that the private address is non-routable and could not get to the PIX from another subnet. (I think).
One option is to to come in early some morning and shut down individual interfaces on the 3750E one at a time until the PIX stops logging the entry.
Thanks Again.
Tom
12-07-2007 10:00 AM
Tom
Just a quick check. Do you allow "ip directed-broadcasts" on any of your L3 interfaces as 192.168.1.255 is a directed broadcast which may mean it is coming from another of your subnets.
Jon
12-07-2007 10:30 AM
Jon -
Good idea. I just checked my config and displayed "sho ip int"; which confirmed I didn't have that option enabled.
I'll continue my sleuthing activity and close the discussion.
I appreciate your assistance and ideas.
Tom
12-07-2007 02:08 PM
If your routing table does not have the 192.168.x.x address, unless your routers have unicast RPF checking enabled or ACL's preventing this, the traffic will follow your default route. Of course, no traffic will be able to get back to the host sending this traffic, but it will be able to send traffic to just about any address until it runs into a filter or a device that performs a reverse-path check.
Turning off ip directed-broadcast (it is off by default now) only prevents the router from sending it out as a L2 broadcast, but does not necessarily stop the router from forwarding the packet.
Check out http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html#wp1086004 for the unicast RPF check.
12-07-2007 07:29 PM
this will sound weird, but do you have a Linksys wireless WAP54G on your network somewhere?
their default address is 192.168.1.245.
12-11-2007 06:36 AM
Thanks Michael.
Your response and link were very helpful.
Tom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: