Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

How to trace Private IP addresses

I started to see ACL denied logs from private IP addresses (192.168.30.x, 192.168.20.x) that are not configured for this network. How I can find where these devices are connected to the network ?

I'll appreciate any ideas. Thanks!

11 REPLIES

How to trace Private IP addresses

Can you tell us a little about what happened? Do you route for these networks or were they seen on the outside interface of your router? Do you have a vpn tunnel established with anyone?

HTH, John *** Please rate all useful posts ***
New Member

How to trace Private IP addresses

A week ago when I was reviewing the logs in the router, I started to see denied logs from private IPs that I don't know. The IPs (192.168.30.x and 192.168.20.x) are trying to get access to another private vlan (192.168.15.x) established for netbackup and that's configured in the router.

I don't have vpn tunnel.

How to trace Private IP addresses

It's going to be difficult to tell you other than if you don't know where they came from, as in you have no idea where this private subnet resides, then it's possibly someone trying to spoof an address as a private side address.

HTH, John *** Please rate all useful posts ***
New Member

How to trace Private IP addresses

okay, thanks!

If you think about something else that could help me to avoid this traffic, I'll appreciate it.

Gold

Re: How to trace Private IP addresses

Hi

You state that you find this in the logs.

What does the logfile tell you ?

where is the acl setup ? (what interface)

Some ISP´s use "1918" addresses as transit networks.

so it could be a leakage from your isp.

if so then just block them in your router/firewall.

Good luck

HTH

New Member

Re: How to trace Private IP addresses

I have a vlan for the netbackup (192.168.15.x) with a standard ACL 15  to allow only access to specific machines. I'm seeing the denied logs  for 192.168.30.x, 192.168.20.x IPs in reference to that ACL 15.

We have an ISP but the IPs are in the 10.10.x.x. range and the ISP is not connected to our network.

Yes, I'm blocking the traffic at the router.

Thanks!!

New Member

Re: How to trace Private IP addresses

Hi Maria, are those connections are UDP or TCP...  if their are UDP it might be servers at your ISP side....  you might want to check with your ISP.

Best regards,

Willy

New Member

Re: How to trace Private IP addresses

The traffic should be TCP but I'll double check on that.

Thanks!

Gold

Re: How to trace Private IP addresses

Hi

Well

if you have hits on the ACL on an interface the traffic is generated somewhere in that direction.

So in this case the mystery traffic is generated somewhere at the same side as the netbackup.

So what I would do is to sniff the traffic so that you can find out the MAC address of the packets.

When you know the mac address you can go and check out the switches to findout what interface the traffic is generated from.

When you know what interface, you know where to find the unit that generates/forwards the traffic.

Good luck

HTH

New Member

Re: How to trace Private IP addresses

Thanks Hobbe!

Yes, there's something wrong with the netbackup vlan. I'll check the traffic tomorrow, thanks!!

New Member

Re: How to trace Private IP addresses

if you're lucky & the router supports the 'log-input' keyword on acls just change the "log" keyword on the acl to "log-input" and the router will include the source mac address in the syslog msg

for example, if you've got

access-list 15 permit tcp 192.168.1.0 0.0.0.255 any

access-list 15 deny ip any any log

change the last line to

access-list 15 deny ip any any log-input

  and you'll get something like

%SEC-6-IPACCESSLOGP: list 15 denied tcp 192.168.30.10(6000) (G1 0009.1532.8029) -> 192.168.15.15(1024)

If the router doesn't support the 'log-input' keyword you're going to have to capture the offending traffic somehow and get the source mac address that way.

Once you've got the source mac address you do a 'sh mac-address-table address [whatever]' to find the switch port the traffic came from

Regards,

Lee

2856
Views
0
Helpful
11
Replies
CreatePlease to create content