Please help!

jlepich · ‎04-25-2003

Can anyone explain why I'm getting this in my pix logs

2003-04-23 02:10:17 Local4.Warning 10.0.13.253 Apr 23 2003 02:09:03: %PIX-4-106023: Deny udp src inside:126.0.0.1/137 dst outside:210.11.0.10/137 by access-group "inbound-in"

We use a 10.0.0.0 range on our network.

126.0.0.0.1 is not a valid host on our network.

Thanks for any help!

-Jesse

jmia · ‎04-25-2003

Hi Jesse,

Looks like a Client/PC on your inside network is trying to access the outside, try to see if you can ping that address from the inside also port 137 is a NETBIOS Name Service used by UDP and TCP, in your case it's a UDP packet that is trying to access the Outside. Makesure that there isn't any PC's/Servers on your inside that is configured with the 126.0.0.1 IP address.

Hope this helps..

b-pelphrey · ‎04-25-2003

this should be very helpful to you.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemapa.htm

do a search on the message code....example in your case 106023.

hope this helps.

jlepich · ‎04-25-2003

Yeah I guess I should have mentioned that I have tried to ping the 126.0.0.1 address and I do not get a response. I am currently sniffing all traffic that goes to the inside interface on my pix and I found that the data being sent is “A........... CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..

“ which appears to be a legitimate netbios broadcast. The only concern I have is that the 126.0.0.0 address scheme is not in use on our network and the it seems to be trying to get to 210.11.0.10 which is an address over in Asia (concern)

but atleast I know no damage is being done, cuase it is being blocked.

-Jesse

mike.braun · ‎04-25-2003

126.0.0.1 is sometimes used as a loop back address or other times for testing purposes. Traffic can source from a loop back adaptor or from a second NIC on a server and make its way onto the network. Because it is not a valid address on the network, traffic will never get back to the computer generating this traffic, but this does not stop the traffic from continuing to be sent out. More than likely, there is no malicious intent behind these packets. It’s probably a mis-configured server/workstation on your network. If this traffic follows a regular pattern, you may be able to track it down with the help of a sniffer. Go from VLAN to VLAN until you find the one the traffic is sourcing from. Then narrow down your span session until you find the source port. This may be a lot of work and its up to you whether it's worth the effort. You may be content that the traffic is being denied be the firewall.

jlepich · ‎04-25-2003

Good info. Thanks for your reply. I’ve been applying access lists on our core router in an attempt to try to narrow it down to a physical link on the network. Also I have been utilizing port monitor (that’s how I was able to capture the data being sent with ethereal) that actual data that is being transmitted seems to be a legitimate NetBIOS query…I just don’t understand why it is directed at host 210.11.0.10 which I believe to be located in Australia.

Thanks for the info. Don’t know that I will spend much time on this….because I believe the traffic being transmitted is a legitimate query and not a worm or malicious attack.

-Jesse