Cisco Support Community
Community Member

Spoofed PAT IP?

Hey everyone,

Recently I applied an ACL to the WAN interface of one of our routers.  One of the entries, which is also log-enabled, blocks access to the inside global PAT address, basically denying access to any traffic that originates from the PAT address.  Soon after applying the ACL upon reviewing the logs, I discovered that periodic access from the inside global to the inside global is being blocked on UDP 6881.  In other words, it appears that the PAT address is attempting to access itself to and from UDP 6881.  So some service or someone is attempting to gain access back into the network using UDP 6881.  So I applied another ACL to the inside interface and found the machine that was generating the traffic.  After doing a little research I found out that Bit Torrent uses that port for its peer-to-peer connections.  Unfortunately I don't have access to the machine generating that traffic but I need to know whether or not to escalate the issue.  To me, it looks like the PAT address is being spoofed by an outside party to access something on the inside that's making requests to it.  I am very interested to know your opinions on this.

CreatePlease to create content