Assistance tracing host on 172.24... host

Unanswered Question
May 20th, 2008
User Badges:

Hello, i noticed large amount of denyed icmp packets showin gin our syslog that is originated and destined for ip addresses not on our network.

"Deny icmp src <inside-vlan-interface>: dst <outside-interface>: (type 8, code 0) by access-group "inside_ACL_in" [0x0, 0x0].

We do have ip range of 172.16.x.x but it is for mpls traffic; all our internal ip addresses are on 192.x.x.x or 10.x.x.x

Do you guys have any ideas how to start troubleshooting this? Traceroute to either of these two ip addresses does not go any further than some of ISP's routers. Could you please provide info about any tool(s) tat you might be usefull trying to find the source of this traffic. Would Netflow help with this? thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Mon, 05/26/2008 - 13:20
User Badges:
  • Silver, 250 points or more

You can't able to traceroute the particular network when you enabled ICMP blocking in your network.

Dragan Milojevic Mon, 05/26/2008 - 14:08
User Badges:

I was able to tracert from outside interface up to three hops to one of MPLS router. Then, i implement temporary acl preventing traffic from 172.24; then check the debug on firewall until i noticed there is no more denied icmp from 172.24

After that i was able to pinpoint network where this ip address was located. After that i talked to ISP and we managed to stop this from happening.

Yes, i have to disable icmp blocking first.



This Discussion