Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Strange Network Traffic from Spoofed IP address.

Hello All-

     I have been working on an issue for several days now, and I would like some input.  I stubbled upon some strange traffic while setting up a sys log server for my ASA.  I am recieving the following message:

%ASA-4-313005: No matching connection for ICMP error message: icmp src inside:210.88.48.217 dst inside:172.16.3.82 (type 3, code 13) on inside interface.  Original IP payload: udp src 172.16.3.82/138 dst 172.16.3.255/138.

This message is showing the "foreign IP" of 210.88.48.217 sourced on the inside interface.  I believe that a machine on our LAN is being spoofed with this address.  The destination address of "172.16.3.82" is not a vaild address.  We currently have no 172.16.3.0 network.

My first step to track down this machine or machines that is creating this traffic has been:

I have setup the 172.16.3.0 network on a Catalyst 3750 L3 switch.  I have attached a machine with a 172.16.3.0/24 address and ran Wireshark in hopes to capture the packets in order to view the true source ip address?  I have been unsuccessful in this approach.

Can anyone provide any suggestions?

432
Views
0
Helpful
0
Replies
CreatePlease to create content