Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Tracking down rouge clients across WAN links.

Reply
Thread Tools

Tracking down rouge clients across WAN links.

 
 
edavid3001@gmail.com
Guest
Posts: n/a
 
      09-07-2006
I have CISCO routers and switches everywhere.

I am currently seeing on my firewall logs, due to default routing, ICMP
traffic to and from US military IP addresses. I have used Ethereal and
tracked both source IP's as coming from one of my Cisco routers which
connects many remote locations.

I have telneted into each of these remote locations and did SHOW ARP
and SHOW IP CACHE and see no reference to the rouge IP's.

In the old days, I'd take over these remote machines and packet sniff
on the hubs. But I am in a switched network and there are too many
remote locations. I do have SNMP enabled on most all my PC's,
switches, and routers. How do I track these IP address down to a
remote network / port?

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-07-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>I have CISCO routers and switches everywhere.


>I am currently seeing on my firewall logs, due to default routing, ICMP
>traffic to and from US military IP addresses. I have used Ethereal and
>tracked both source IP's as coming from one of my Cisco routers which
>connects many remote locations.


What are your router ntp servers set to? Some of the major ntp servers
are run by the Naval Observatory.
 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      09-07-2006

Do the source IP address tlook like they or valid or are they spoofed ?

Do you implement source IP address verifcation at the edge of your
network ?

 
Reply With Quote
 
edavid3001@gmail.com
Guest
Posts: n/a
 
      09-07-2006
from 129.229.207.22 to 42.229.33.91
from 33.91.129.229 to 33.20.42.229
from 229.42.17.126 to 16.126.38.0

This is being detected by my firewall as address spoofing. I have a
monitor port between my WAN router and my firewall with ethereal, and I
can sniff this traffic. The source MAC is the MAC of the router,
destination is that of my firewall.

Firewall reports traffic on the inner NIC.

I see no other traffic to/from these IP's. No UDP to NTP.

These are not used internally.

My thought is that someone setup a VPN bridge device and this is
somehow tripping over onto our LAN because the client device is powered
off. Or possibly dialup RAS, which is prohibited on this specific
network.

I have done an IP SHOW CACHE on one router and found cache entrys for a
few of these network. I guess I need to setup ACL's to block these
hosts and log it, then see if it is coming from this network. ARP
shows nothing on the router nor switches. This specific network
doesn't have SNMP on the clients.

 
Reply With Quote
 
edavid3001@gmail.com
Guest
Posts: n/a
 
      09-12-2006
Using ACL's I've determined which network is generating the traffic.
Now, how do I remotely figure out where it is coming from?

It's a switched network, so packet sniffing won't work unless I had a
monitor port and device hooked to it. I don't.

Is there a way to see the MAC address of access log violators?

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-12-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>Using ACL's I've determined which network is generating the traffic.
>Now, how do I remotely figure out where it is coming from?


>It's a switched network, so packet sniffing won't work unless I had a
>monitor port and device hooked to it. I don't.


>Is there a way to see the MAC address of access log violators?


In later IOS (earlier didn't have this), you can change the 'log'
to 'log-input' to get the MAC address.

 
Reply With Quote
 
edavid3001@gmail.com
Guest
Posts: n/a
 
      09-12-2006
> In later IOS (earlier didn't have this), you can change the 'log'
> to 'log-input' to get the MAC address.


Exactly what I am looking for. Thank you very much. I can't tell you
how many hours I've spent looking for that command (not being the Cisco
guy for our network..)

I found out that one is a
http://www.jkmicro.com
device embeded into one of these;
http://www.synaccess-net.com/products.php?id=np

My guess is the guy didn't configure this page;
http://www.synaccess-net.com/demotwNp/synNwCfg.htm

correctly on the device.

That's one down, 3 more to go. Thanks!

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Dual WAN on a 2651, NAT inside, opening one port on the seconday WAN Martin Gallagher Cisco 0 11-27-2012 09:27 AM
PIX 501 - 2 WAN Connections, how to route certain IPs to the 2nd WAN Casper Cisco 1 08-17-2007 08:17 PM
Ethernet WAN and not WAN. AM Cisco 1 05-23-2005 11:45 PM
Need to securely connect workstations on another WAN to my WAN kev Cisco 4 11-17-2003 01:55 AM
message broadcast on all clients of a LAN / WAN Mario Cisco 2 08-03-2003 03:51 PM



Advertisments