×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

pix syslog server

Unanswered Question
May 20th, 2003
User Badges:

i keep getting this error: <163>May 19 2003 23:13:57: %PIX-3-106011: Deny inbound (No xlate) udp src outside:193.146.77.31/1027 dst outside:67.104.55.209/137

in the documentation it says it's a security breach, but i've been getting this for a while. is it something i should be concerned about? please advise.

thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hi,


Me also confused with this log message. If you compare the Syslog message from firewall and the documentation, even the numbers are same (ie 106011) the Prefixes are different(ie syslog levels are different). One is level 3 and another one is 7.


If you come across the solution please let me know.


Thank you.

Murthy.

ali.asghar Wed, 05/21/2003 - 07:44
User Badges:

it's the ip out of the global range 67.104.55.209-67.104.55.222.

it not only does it to 209, but also other ips as well. i do have websense integrated with pix, could that be causing this? thanks...

Since the IP is in use, it probably just a directed netbios name query.


If you want to see exactly what I am talking about, install ethereal on a windows machine. Start a capture, and open a command prompt.


type nbtstat -a ip.address


You should see in ethereal the UDP based netbios nameservice requests go out.


WIndows tries these when other name resolution methods fail. A lot of sites block all outbound netbios traffic, so that is why you don't see more of them.


Do you have reverse dns entries for those ip addresses? That may be a contributing factor - when http requests go from that ip to a windows server, and it tries to log it, and do a reverse dns lookup, if that fails, windows might try the directed NBNS query

kdagostino Fri, 05/23/2003 - 07:39
User Badges:

I have received similar type messages - more than likely you are being port scanned from a remote host trying to gain access to your network. Since it is UDP it is probably spoofed - so you will not be able to trace to it. It is a form of DDOS attack.


http://.isc.incidents.org


Contact your ISP's abuse dept and see if they can assist in blocking the intruders. Other than that if you can find a way to stop them let me know too...

Actions

This Discussion