Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

pix syslog server

i keep getting this error: <163>May 19 2003 23:13:57: %PIX-3-106011: Deny inbound (No xlate) udp src outside: dst outside:

in the documentation it says it's a security breach, but i've been getting this for a while. is it something i should be concerned about? please advise.


Community Member

Re: pix syslog server


Me also confused with this log message. If you compare the Syslog message from firewall and the documentation, even the numbers are same (ie 106011) the Prefixes are different(ie syslog levels are different). One is level 3 and another one is 7.

If you come across the solution please let me know.

Thank you.



Re: pix syslog server

It is probably a windows box who is trying to resolve the name of that machine via a directed Netbios query for some reason. Does offer any services to the outside world? Is it part of a global or static pool?

Community Member

Re: pix syslog server

it's the ip out of the global range

it not only does it to 209, but also other ips as well. i do have websense integrated with pix, could that be causing this? thanks...


Re: pix syslog server

Since the IP is in use, it probably just a directed netbios name query.

If you want to see exactly what I am talking about, install ethereal on a windows machine. Start a capture, and open a command prompt.

type nbtstat -a ip.address

You should see in ethereal the UDP based netbios nameservice requests go out.

WIndows tries these when other name resolution methods fail. A lot of sites block all outbound netbios traffic, so that is why you don't see more of them.

Do you have reverse dns entries for those ip addresses? That may be a contributing factor - when http requests go from that ip to a windows server, and it tries to log it, and do a reverse dns lookup, if that fails, windows might try the directed NBNS query

Community Member

Re: pix syslog server

I have received similar type messages - more than likely you are being port scanned from a remote host trying to gain access to your network. Since it is UDP it is probably spoofed - so you will not be able to trace to it. It is a form of DDOS attack.

Contact your ISP's abuse dept and see if they can assist in blocking the intruders. Other than that if you can find a way to stop them let me know too...

CreatePlease to create content