Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Please help!

Can anyone explain why I'm getting this in my pix logs

2003-04-23 02:10:17 Local4.Warning 10.0.13.253 Apr 23 2003 02:09:03: %PIX-4-106023: Deny udp src inside:126.0.0.1/137 dst outside:210.11.0.10/137 by access-group "inbound-in"

We use a 10.0.0.0 range on our network.

126.0.0.0.1 is not a valid host on our network.

Thanks for any help!

-Jesse

5 REPLIES
Gold

Re: Please help!

Hi Jesse,

Looks like a Client/PC on your inside network is trying to access the outside, try to see if you can ping that address from the inside also port 137 is a NETBIOS Name Service used by UDP and TCP, in your case it's a UDP packet that is trying to access the Outside. Makesure that there isn't any PC's/Servers on your inside that is configured with the 126.0.0.1 IP address.

Hope this helps..

New Member

Re: Please help!

this should be very helpful to you.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemapa.htm

do a search on the message code....example in your case 106023.

hope this helps.

New Member

Re: Please help!

Yeah I guess I should have mentioned that I have tried to ping the 126.0.0.1 address and I do not get a response. I am currently sniffing all traffic that goes to the inside interface on my pix and I found that the data being sent is “A........... CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..

“ which appears to be a legitimate netbios broadcast. The only concern I have is that the 126.0.0.0 address scheme is not in use on our network and the it seems to be trying to get to 210.11.0.10 which is an address over in Asia (concern)

but atleast I know no damage is being done, cuase it is being blocked.

-Jesse

New Member

Re: Please help!

126.0.0.1 is sometimes used as a loop back address or other times for testing purposes. Traffic can source from a loop back adaptor or from a second NIC on a server and make its way onto the network. Because it is not a valid address on the network, traffic will never get back to the computer generating this traffic, but this does not stop the traffic from continuing to be sent out. More than likely, there is no malicious intent behind these packets. It’s probably a mis-configured server/workstation on your network. If this traffic follows a regular pattern, you may be able to track it down with the help of a sniffer. Go from VLAN to VLAN until you find the one the traffic is sourcing from. Then narrow down your span session until you find the source port. This may be a lot of work and its up to you whether it's worth the effort. You may be content that the traffic is being denied be the firewall.

New Member

Re: Please help!

Good info. Thanks for your reply. I’ve been applying access lists on our core router in an attempt to try to narrow it down to a physical link on the network. Also I have been utilizing port monitor (that’s how I was able to capture the data being sent with ethereal) that actual data that is being transmitted seems to be a legitimate NetBIOS query…I just don’t understand why it is directed at host 210.11.0.10 which I believe to be located in Australia.

Thanks for the info. Don’t know that I will spend much time on this….because I believe the traffic being transmitted is a legitimate query and not a worm or malicious attack.

-Jesse

186
Views
0
Helpful
5
Replies