Assistance tracing host on 172.24... host

Unanswered Question
May 20th, 2008

Hello, i noticed large amount of denyed icmp packets showin gin our syslog that is originated and destined for ip addresses not on our network.

"Deny icmp src <inside-vlan-interface>:172.24.3.30 dst <outside-interface>:172.24.3.17 (type 8, code 0) by access-group "inside_ACL_in" [0x0, 0x0].

We do have ip range of 172.16.x.x but it is for mpls traffic; all our internal ip addresses are on 192.x.x.x or 10.x.x.x

Do you guys have any ideas how to start troubleshooting this? Traceroute to either of these two ip addresses does not go any further than some of ISP's routers. Could you please provide info about any tool(s) tat you might be usefull trying to find the source of this traffic. Would Netflow help with this? thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Mon, 05/26/2008 - 13:20

You can't able to traceroute the particular network when you enabled ICMP blocking in your network.

Dragan Milojevic Mon, 05/26/2008 - 14:08

I was able to tracert from outside interface up to three hops to one of MPLS router. Then, i implement temporary acl preventing traffic from 172.24; then check the debug on firewall until i noticed there is no more denied icmp from 172.24

After that i was able to pinpoint network where this ip address was located. After that i talked to ISP and we managed to stop this from happening.

Yes, i have to disable icmp blocking first.

Thanks

Actions

This Discussion