Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2244
Views
0
Helpful
4
Replies

Firewall detect source and destination ip addresses not belonging to any subnet connected to the firewall

donnie
Level 1
Level 1

‎10-29-2014 06:38 AM - edited ‎03-05-2019 12:04 AM

Hi all,

I faced a very strange situation where my firewall logs indicate there are traffic where both source and destination ip addresses does not belong to any subnet that my firewall is connected to. The source ip of these strange logs are attempting to access destination port tcp 80(http). Both the source and destination ip addresses are internet ip addresses and they are not part of the internet range of ip that i own. Between my firewall and the internet is my WAN router. My WAN router is connected to ISP via MPLS. I have verified there is no misconfiguration in terms of routing on my WAN router. Suppose the isp did routing misconfiguration, the strange packets should be dropped by my router. My WAN router is configured with WCCP which is meant to redirect http traffic back to my web proxy located behind my firewall. Hence did any of you faced such strange problems before and could it be due to some bugs with the WCCP? TIA!

Labels:
0 Helpful
4 Replies 4

milan.kulik
Level 10
Level 10

‎10-29-2014 07:11 AM

Hi,

 

was the suspicious traffic received from the Internet or sent to the Internet from your site?

It the second case it could be some of your PCs might be infected by a malware and became a member of a botnet attacking some Internet server?

And the source IP address would be simply a spoofed one?

 

Best regards,

Milan

 

 

0 Helpful

donnie
Level 1
Level 1
In response to milan.kulik

‎10-29-2014 08:55 AM

Hi Milan,

 

Thk you for prompt response. The suspicious http traffic was received from the internet where source and destination ip are internet addresses not belonging to any subnet of my firewall. This traffic was denied by my firewall. THe suspicious traffic is received at the firewall segment facing the WAN router. Could spoofing still be possible in this case? By way my WAN router is a Cisco ASR 1004.

0 Helpful

milan.kulik
Level 10
Level 10
In response to donnie

‎10-29-2014 09:59 AM

Hi, are you advertising your subnets to your ISP by some routing protocol (BGP, e.g.)? In that case I could imagine some error on your side (advertising wrong subnet) could make the ISP to deliver you a traffic with a destination address which is not owned by you. Usually, source address can be spoofed as a part of some attack. But traffic with a wrong destination address should not be delivered to you! As you are saying "My WAN router is configured with WCCP which is meant to redirect http traffic back to my web proxy located behind my firewall." which is something I don't 100% follow. Should WCCP change the destination IP address of http packets? But still forward them to the FW? Best regards, Milan
0 Helpful

donnie
Level 1
Level 1
In response to milan.kulik

‎10-29-2014 05:17 PM

Hi Milan,

My WCCP will not change the destination ip address of http packets. Clients accessing http will first go through the firewall then to my ASR which will then send the packets back to my proxy via WCCP after which the proxy will access the internet on behalf of the clients. I am advertising my subnet to ISP via BGP. Will reconfirm if wrong subnets are advertised to ISP but its unlikely as we only have one public subnet to advertise.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card