We have a Juniper Firewall with the following:
Eth0/1 Trust (LAN) - 192.168.1.0/24
Eth1/0 DMZ - 172.20.0.0/28
Eth1/1 DMZ2 - 172.30.0.0/27
There is a Cisco Router on 192.168.1.200
We are seeing lot of IP Spoofing Traffic on the Juniper Firewall. On Investigation, we find that there is Broadcast traffic from 172.30.0.2, 3 & 4 to 172.30.0.31 on ports 137 & 138. This occurs in random sequence, but at regular intervals. However, the reason why it is IP Spoofing, because this traffic is generated from the trust zone (i.e. 192.168.1.0 side. When we did a packet trace, we found that the MAC on the Source IPs (172.30.0.2-4) was that of the Cisco Router. Cisco Router is connecting the Branch office (220.127.116.11/24) to HO. Cisco Router has static routes of 172.20.0.0 & 172.30.0.0 to allow BO PCs to access Servers in the DMZs. We need to further investigate and find the source of this Broadcast traffic. My query is, as I am not too familiar with the debug commands on the Cisco Router, how do I capture packets on Cisco Router, filtered on Source or Destination IP/Port. Also need further help in resolving the issue. Thanks in advance for any help.