Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Firewall detect source and destination ip addresses not belonging to any subnet connected to the firewall

Hi all,

I faced a very strange situation where my firewall logs indicate there are traffic where both source and destination ip addresses does not belong to any subnet that my firewall is connected to. The source ip of these strange logs are attempting to access destination port tcp 80(http). Both the source and destination ip addresses are internet ip addresses and they are not part of the internet range of ip that i own. Between my firewall and the internet is my WAN router. My WAN router is connected to ISP via MPLS. I have verified there is no misconfiguration in terms of routing on my WAN router. Suppose the isp did routing misconfiguration, the strange packets should be dropped by my router. My WAN router is configured with WCCP which is meant to redirect http traffic back to my web proxy located behind my firewall. Hence did any of you faced such strange problems before and could it be due to some bugs with the WCCP? TIA!

4 REPLIES

Hi, was the suspicious

Hi,

 

was the suspicious traffic received from the Internet or sent to the Internet from your site?

It the second case it could be some of your PCs might be infected by a malware and became a member of a botnet attacking some Internet server?

And the source IP address would be simply a spoofed one?

 

Best regards,

Milan

 

 

New Member

Hi Milan, Thk you for prompt

Hi Milan,

 

Thk you for prompt response. The suspicious http traffic was received from the internet where source and destination ip are internet addresses not belonging to any subnet of my firewall. This traffic was denied by my firewall. THe suspicious traffic is received at the firewall segment facing the WAN router. Could spoofing still be possible in this case? By way my WAN router is a Cisco ASR 1004.

Hi,

Hi, are you advertising your subnets to your ISP by some routing protocol (BGP, e.g.)? In that case I could imagine some error on your side (advertising wrong subnet) could make the ISP to deliver you a traffic with a destination address which is not owned by you. Usually, source address can be spoofed as a part of some attack. But traffic with a wrong destination address should not be delivered to you! As you are saying "My WAN router is configured with WCCP which is meant to redirect http traffic back to my web proxy located behind my firewall." which is something I don't 100% follow. Should WCCP change the destination IP address of http packets? But still forward them to the FW? Best regards, Milan
New Member

Hi Milan,My WCCP will not

Hi Milan,

My WCCP will not change the destination ip address of http packets. Clients accessing http will first go through the firewall then to my ASR which will then send the packets back to my proxy via WCCP after which the proxy will access the internet on behalf of the clients. I am advertising my subnet to ISP via BGP. Will reconfirm if wrong subnets are advertised to ISP but its unlikely as we only have one public subnet to advertise.

447
Views
0
Helpful
4
Replies
CreatePlease to create content