Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Local 4 warning

Hell-o,

Just installed the Kiwi Syslog daemon. Receiving a warning message and was wondering if someone could interupt the message. As I understand it, it is only a warning, but because it involves our PIX 515e firewall I wanted to try and follow up on it. The local 4 warning message reads;

Deny upd src outside:209.1.222.245/53 dst inside 198.137.151.1/1042 by access-group "acl_outside".

Is this something I should be concerned about?

TIA,

Gary

5 REPLIES

Re: Local 4 warning

Port 53 is DNS. Looks like 209.1.222.245 is replying to a DNS request from 198.137.151.1, but the PIX already closed that xlate connection (another DNS server probably replied to the request before this one did and so the PIX closed the open connection). If it is a one off event I wouldn't worry about it, but if it is continual look into who is sending the packet and why it's going to 198.137.151.1 (eg stop 198.137.151.1 from sending DNS requests or contact 209.1.222.245 to find out why it's sending DNS to you).

Hope it helps.

Steve

Anonymous
N/A

Re: Local 4 warning

It is continual, I received over 300 warning in one hour. The replies are from varying IP's but the rquest are from 198.137.151.1 and 198.137.151.26 only? Will try and gather some more info and get back to you. Thanks very much for the information.

Gary

Anonymous
N/A

Re: Local 4 warning

Steve,

Here is small piece of the syslog the PIX515e is generating...

2002-11-01 13:12:20 Local4.Warning 10.0.0.1 Nov 01 2002 14:18:59: %PIX-4-106023: Deny udp src outside:209.211.237.83/43086 dst inside:198.137.151.1/40000 by access-group "acl_outside"

2002-11-01 13:12:26 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:06: %PIX-4-106023: Deny udp src outside:209.211.237.83/41746 dst inside:198.137.151.1/40000 by access-group "acl_outside"

2002-11-01 13:12:29 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:09: %PIX-4-106023: Deny udp src outside:209.211.237.83/42897 dst inside:198.137.151.1/40000 by access-group "acl_outside"

2002-11-01 13:12:31 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:11: %PIX-4-106023: Deny udp src outside:138.113.128.8/4582 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:32 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:12: %PIX-4-106023: Deny udp src outside:209.211.237.83/42579 dst inside:198.137.151.1/40000 by access-group "acl_outside"

2002-11-01 13:12:35 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:15: %PIX-4-106023: Deny udp src outside:209.211.237.83/41024 dst inside:198.137.151.1/40000 by access-group "acl_outside"

2002-11-01 13:12:35 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:15: %PIX-4-106023: Deny udp src outside:209.211.237.83/41398 dst inside:198.137.151.1/40000 by access-group "acl_outside"

2002-11-01 13:12:35 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:15: %PIX-4-106023: Deny udp src outside:209.211.237.83/40477 dst inside:198.137.151.1/40000 by access-group "acl_outside"

2002-11-01 13:12:35 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:15: %PIX-4-106023: Deny udp src outside:209.211.237.83/42709 dst inside:198.137.151.1/40000 by access-group "acl_outside"

2002-11-01 13:12:43 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:23: %PIX-4-106023: Deny udp src outside:138.113.4.3/1260 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:43 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:23: %PIX-4-106023: Deny udp src outside:138.113.4.3/1260 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:43 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:23: %PIX-4-106023: Deny udp src outside:138.113.4.3/1260 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:46 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:26: %PIX-4-106023: Deny udp src outside:138.113.4.4/1035 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:47 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:26: %PIX-4-106023: Deny udp src outside:138.113.4.4/1035 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:47 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:26: %PIX-4-106023: Deny udp src outside:138.113.4.4/1035 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:50 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:29: %PIX-4-106023: Deny udp src outside:138.113.16.9/3705 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:205.158.108.194 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:204.176.88.5 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:208.254.75.130 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:198.5.148.6 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:63.123.77.194 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.14.117.10 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:208.185.54.14 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.15.251.198 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:65.214.50.130 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.0.96.12 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:212.62.17.145 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:12:53 Local4.Error 10.0.0.1 Nov 01 2002 14:19:32: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:213.61.6.2 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:02 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:42: %PIX-4-106023: Deny icmp src outside:203.181.248.27 dst inside:198.137.151.18 (type 8, code 0) by access-group "acl_outside"

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:205.158.108.194 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:204.176.88.5 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:63.123.77.194 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:208.254.75.130 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:198.5.148.6 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:65.214.50.130 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.14.117.10 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.15.251.198 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:208.185.54.14 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:212.62.17.145 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:64.0.96.12 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:03 Local4.Error 10.0.0.1 Nov 01 2002 14:19:42: %PIX-3-106011: Deny inbound (No xlate) icmp src outside:213.61.6.2 dst outside:198.137.151.251 (type 8, code 0)

2002-11-01 13:13:05 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:44: %PIX-4-106023: Deny icmp src outside:203.181.248.27 dst inside:198.137.151.18 (type 8, code 0) by access-group "acl_outside"

2002-11-01 13:13:07 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:47: %PIX-4-106023: Deny icmp src outside:203.181.248.27 dst inside:198.137.151.18 (type 8, code 0) by access-group "acl_outside"

2002-11-01 13:13:09 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:49: %PIX-4-106023: Deny icmp src outside:203.181.248.27 dst inside:198.137.151.18 (type 8, code 0) by access-group "acl_outside"

2002-11-01 13:13:12 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:52: %PIX-4-106023: Deny icmp src outside:203.181.248.27 dst inside:198.137.151.18 (type 8, code 0) by access-group "acl_outside"

2002-1

Re: Local 4 warning

1) Most of it looks like normal internet traffic getting blocked (ie lots of pings and a few other misc. ports).

2)As for your DNS blocks (based on your previous posts), look into why 198.137.151.1 is going outside for DNS, if you don't want it to stop it from doing so - stop the service or prevent it from going to the internet (point it to another local DNS server). Your action depends on what that server is and whether it's legit traffic.

You can also contact the company that owns 209.1.222.245 to find out why it's sending DNS to you (most likely this is a DNS server just replying to your host requesting DNS), and request them to stop. Either way, this is more of a bother than a security concern.

3) Based on the above acl denies in this last post:

2002-11-01 13:12:43 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:23: %PIX-4-106023: Deny udp src outside:138.113.4.3/1260 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:43 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:23: %PIX-4-106023: Deny udp src outside:138.113.4.3/1260 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:43 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:23: %PIX-4-106023: Deny udp src outside:138.113.4.3/1260 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:46 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:26: %PIX-4-106023: Deny udp src outside:138.113.4.4/1035 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:47 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:26: %PIX-4-106023: Deny udp src outside:138.113.4.4/1035 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:47 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:26: %PIX-4-106023: Deny udp src outside:138.113.4.4/1035 dst inside:198.137.151.26/53 by access-group "acl_outside"

2002-11-01 13:12:50 Local4.Warning 10.0.0.1 Nov 01 2002 14:19:29: %PIX-4-106023: Deny udp src outside:138.113.16.9/3705 dst inside:198.137.151.26/53 by access-group "acl_outside"

looks like those outside hosts (the 138.x.x.x network) are trying to send DNS request to your network host 198.137.151.26. It appears the internet (or that network at least) believes that your IP is a public DNS server.

Steve

Anonymous
N/A

Re: Local 4 warning

Yes, you are exactly correct. The 198.137.151.1 is our external dns server. Will followup as you suggest and greatly, greatly appreciate you help.

Gary

346
Views
5
Helpful
5
Replies
CreatePlease to create content