Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
5
Replies

pix syslog server

ali.asghar
Level 1
Level 1

‎05-20-2003 03:57 PM - edited ‎02-20-2020 10:45 PM

i keep getting this error: <163>May 19 2003 23:13:57: %PIX-3-106011: Deny inbound (No xlate) udp src outside:193.146.77.31/1027 dst outside:67.104.55.209/137

in the documentation it says it's a security breach, but i've been getting this for a while. is it something i should be concerned about? please advise.

thanks

0 Helpful
5 Replies 5

devam
Level 1
Level 1

‎05-20-2003 05:24 PM

Hi,

Me also confused with this log message. If you compare the Syslog message from firewall and the documentation, even the numbers are same (ie 106011) the Prefixes are different(ie syslog levels are different). One is level 3 and another one is 7.

If you come across the solution please let me know.

Thank you.

Murthy.

0 Helpful

mostiguy
Level 6
Level 6

‎05-20-2003 06:25 PM

It is probably a windows box who is trying to resolve the name of that machine via a directed Netbios query for some reason. Does 67.104.55.209 offer any services to the outside world? Is it part of a global or static pool?

0 Helpful

ali.asghar
Level 1
Level 1
In response to mostiguy

‎05-21-2003 07:44 AM

it's the ip out of the global range 67.104.55.209-67.104.55.222.

it not only does it to 209, but also other ips as well. i do have websense integrated with pix, could that be causing this? thanks...

0 Helpful

mostiguy
Level 6
Level 6
In response to ali.asghar

‎05-23-2003 09:14 AM

Since the IP is in use, it probably just a directed netbios name query.

If you want to see exactly what I am talking about, install ethereal on a windows machine. Start a capture, and open a command prompt.

type nbtstat -a ip.address

You should see in ethereal the UDP based netbios nameservice requests go out.

WIndows tries these when other name resolution methods fail. A lot of sites block all outbound netbios traffic, so that is why you don't see more of them.

Do you have reverse dns entries for those ip addresses? That may be a contributing factor - when http requests go from that ip to a windows server, and it tries to log it, and do a reverse dns lookup, if that fails, windows might try the directed NBNS query

0 Helpful

kdagostino
Level 1
Level 1

‎05-23-2003 07:39 AM

I have received similar type messages - more than likely you are being port scanned from a remote host trying to gain access to your network. Since it is UDP it is probably spoofed - so you will not be able to trace to it. It is a form of DDOS attack.

http://.isc.incidents.org

Contact your ISP's abuse dept and see if they can assist in blocking the intruders. Other than that if you can find a way to stop them let me know too...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card