Looks like a Client/PC on your inside network is trying to access the outside, try to see if you can ping that address from the inside also port 137 is a NETBIOS Name Service used by UDP and TCP, in your case it's a UDP packet that is trying to access the Outside. Makesure that there isn't any PC's/Servers on your inside that is configured with the 22.214.171.124 IP address.
Yeah I guess I should have mentioned that I have tried to ping the 126.96.36.199 address and I do not get a response. I am currently sniffing all traffic that goes to the inside interface on my pix and I found that the data being sent is A........... CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..
which appears to be a legitimate netbios broadcast. The only concern I have is that the 188.8.131.52 address scheme is not in use on our network and the it seems to be trying to get to 184.108.40.206 which is an address over in Asia (concern)
but atleast I know no damage is being done, cuase it is being blocked.
220.127.116.11 is sometimes used as a loop back address or other times for testing purposes. Traffic can source from a loop back adaptor or from a second NIC on a server and make its way onto the network. Because it is not a valid address on the network, traffic will never get back to the computer generating this traffic, but this does not stop the traffic from continuing to be sent out. More than likely, there is no malicious intent behind these packets. Its probably a mis-configured server/workstation on your network. If this traffic follows a regular pattern, you may be able to track it down with the help of a sniffer. Go from VLAN to VLAN until you find the one the traffic is sourcing from. Then narrow down your span session until you find the source port. This may be a lot of work and its up to you whether it's worth the effort. You may be content that the traffic is being denied be the firewall.
Good info. Thanks for your reply. Ive been applying access lists on our core router in an attempt to try to narrow it down to a physical link on the network. Also I have been utilizing port monitor (thats how I was able to capture the data being sent with ethereal) that actual data that is being transmitted seems to be a legitimate NetBIOS query I just dont understand why it is directed at host 18.104.22.168 which I believe to be located in Australia.
Thanks for the info. Dont know that I will spend much time on this .because I believe the traffic being transmitted is a legitimate query and not a worm or malicious attack.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...