I have been examining some syslog output from an Inside perimeter ASA. he is sending out notifications due to the fact that he does not have a translation group for two addresses, which are 192.168.87.1 and 192.168.108.1 respectively.
These are not valid addresses on our network. We have a Core switch behind the Inside Interface of our Inside Perimeter ASA, and we have vlans configured in ranges 192.168.1.0 - thru 192.168.20.0, but nothing beyond that.
I am able to set a sniffer and capture traffic being generated with the 87.1 and 108.1 source addresses in the packets, and it is port 137. Our Windows domain controller gives an answer back to these two addresses with respect to the customers domain name.
When i perform a sho arp on the ASA, it has no record of 87.1 or 108.1.
Also I cannot ping the addresses from eihter the Core switch which is routing the VLAN's or the ASA.
The sniffer shows the source MaC address, and when I do a sho mac- | inc 84bf, it gives me back all of my VLAN interfaces.
Does anyone have any suggestions as to what I may be able to do to track where these bogus IP's are originating from?