Cisco router spoofing?

Discussion in 'Cisco' started by Mark, Jul 17, 2003.

  1. Mark

    Mark Guest

    Last night I had the gateway router take over the IP address for one
    of my servers. I identified the router as the problem when I started a
    server reboot and was still able to ping the IP address. Checking the
    arp table on another machine revealed that it was the router
    responding rather than the server. I looked throught the NAT
    tranlation table and didn't see anything that could account for this
    behavior. After reloading the router everything returned to normal.

    I would like to make sure it dosn't happen again since I am not fond
    of getting up at 3:00am to reload the router. Does anyone have a clue
    about what I should be looking for?

    It is a 1605R router using 12.0(7)T2 IOS cisco
    c1600-oy-mz.120-7.T2.bin
    Mark, Jul 17, 2003
    #1
    1. Advertising

  2. Mark

    Paul Guest

    Maybe the router thought the IP address was on another subnet attached to a
    different segment of the network...


    "Mark" <> wrote in message
    news:...
    > Last night I had the gateway router take over the IP address for one
    > of my servers. I identified the router as the problem when I started a
    > server reboot and was still able to ping the IP address. Checking the
    > arp table on another machine revealed that it was the router
    > responding rather than the server. I looked throught the NAT
    > tranlation table and didn't see anything that could account for this
    > behavior. After reloading the router everything returned to normal.
    >
    > I would like to make sure it dosn't happen again since I am not fond
    > of getting up at 3:00am to reload the router. Does anyone have a clue
    > about what I should be looking for?
    >
    > It is a 1605R router using 12.0(7)T2 IOS cisco
    > c1600-oy-mz.120-7.T2.bin
    Paul, Jul 17, 2003
    #2
    1. Advertising

  3. Mark

    Mark Guest

    "Paul" <p a u l a t d a l l a s m a v s d o t n e t> wrote in message news:<3f16e534$>...
    > Maybe the router thought the IP address was on another subnet attached to a
    > different segment of the network...
    >
    >
    > "Mark" <> wrote in message
    > news:...
    > > Last night I had the gateway router take over the IP address for one
    > > of my servers. I identified the router as the problem when I started a
    > > server reboot and was still able to ping the IP address. Checking the
    > > arp table on another machine revealed that it was the router
    > > responding rather than the server. I looked throught the NAT
    > > tranlation table and didn't see anything that could account for this
    > > behavior. After reloading the router everything returned to normal.
    > >
    > > I would like to make sure it dosn't happen again since I am not fond
    > > of getting up at 3:00am to reload the router. Does anyone have a clue
    > > about what I should be looking for?
    > >
    > > It is a 1605R router using 12.0(7)T2 IOS cisco
    > > c1600-oy-mz.120-7.T2.bin


    The router is the gateway for the host it was spoofing so it's routing
    tables would show the subnet directly connected to the ethernet port.
    Mark, Jul 17, 2003
    #3
  4. Mark

    Hapee Guest

    "Mark" <> wrote in message
    news:...
    > "Paul" <p a u l a t d a l l a s m a v s d o t n e t> wrote in message

    news:<3f16e534$>...
    > > Maybe the router thought the IP address was on another subnet attached

    to a
    > > different segment of the network...
    > >
    > >
    > > "Mark" <> wrote in message
    > > news:...
    > > > Last night I had the gateway router take over the IP address for one
    > > > of my servers. I identified the router as the problem when I started a
    > > > server reboot and was still able to ping the IP address. Checking the
    > > > arp table on another machine revealed that it was the router
    > > > responding rather than the server. I looked throught the NAT
    > > > tranlation table and didn't see anything that could account for this
    > > > behavior. After reloading the router everything returned to normal.
    > > >
    > > > I would like to make sure it dosn't happen again since I am not fond
    > > > of getting up at 3:00am to reload the router. Does anyone have a clue
    > > > about what I should be looking for?
    > > >
    > > > It is a 1605R router using 12.0(7)T2 IOS cisco
    > > > c1600-oy-mz.120-7.T2.bin

    >
    > The router is the gateway for the host it was spoofing so it's routing
    > tables would show the subnet directly connected to the ethernet port.
    Hapee, Jul 17, 2003
    #4
  5. Mark

    Hapee Guest

    "Mark" <> wrote in message
    news:...
    > "Paul" <p a u l a t d a l l a s m a v s d o t n e t> wrote in message

    news:<3f16e534$>...
    > > Maybe the router thought the IP address was on another subnet attached

    to a
    > > different segment of the network...
    > >
    > >
    > > "Mark" <> wrote in message
    > > news:...
    > > > Last night I had the gateway router take over the IP address for one
    > > > of my servers. I identified the router as the problem when I started a
    > > > server reboot and was still able to ping the IP address. Checking the
    > > > arp table on another machine revealed that it was the router
    > > > responding rather than the server. I looked throught the NAT
    > > > tranlation table and didn't see anything that could account for this
    > > > behavior. After reloading the router everything returned to normal.
    > > >
    > > > I would like to make sure it dosn't happen again since I am not fond
    > > > of getting up at 3:00am to reload the router. Does anyone have a clue
    > > > about what I should be looking for?
    > > >
    > > > It is a 1605R router using 12.0(7)T2 IOS cisco
    > > > c1600-oy-mz.120-7.T2.bin

    >
    > The router is the gateway for the host it was spoofing so it's routing
    > tables would show the subnet directly connected to the ethernet port.


    Try disabling proxy arp?
    Hapee, Jul 17, 2003
    #5
  6. It sounds like some type of proxy arp issue. Since proxy arp is on by default
    you may try 'no ip-proxy arp' on your Ethernet interface. If you are doing any
    dot1q or ISL trunking, and have sub-interfaces, I believe you will also need to
    issue the same command on the sub.

    David Wolfenbarger
    ----------
    (Mark) wrote...

    > Last night I had the gateway router take over the IP address for one
    > of my servers. I identified the router as the problem when I started a
    > server reboot and was still able to ping the IP address. Checking the
    > arp table on another machine revealed that it was the router
    > responding rather than the server. I looked throught the NAT
    > tranlation table and didn't see anything that could account for this
    > behavior. After reloading the router everything returned to normal.
    >
    > I would like to make sure it dosn't happen again since I am not fond
    > of getting up at 3:00am to reload the router. Does anyone have a clue
    > about what I should be looking for?
    >
    > It is a 1605R router using 12.0(7)T2 IOS cisco
    > c1600-oy-mz.120-7.T2.bin
    David Wolfenbarger, Jul 18, 2003
    #6
  7. Mark

    Mark Guest

    Disabled the proxy arp on Friday but it did the same thing again this morning.



    David Wolfenbarger <dwolfenbarger at remove_me_no_spam_excite dot com> wrote in message news:<>...
    > It sounds like some type of proxy arp issue. Since proxy arp is on by default
    > you may try 'no ip-proxy arp' on your Ethernet interface. If you are doing any
    > dot1q or ISL trunking, and have sub-interfaces, I believe you will also need to
    > issue the same command on the sub.
    >
    > David Wolfenbarger
    > ----------
    > (Mark) wrote...
    >
    > > Last night I had the gateway router take over the IP address for one
    > > of my servers. I identified the router as the problem when I started a
    > > server reboot and was still able to ping the IP address. Checking the
    > > arp table on another machine revealed that it was the router
    > > responding rather than the server. I looked throught the NAT
    > > tranlation table and didn't see anything that could account for this
    > > behavior. After reloading the router everything returned to normal.
    > >
    > > I would like to make sure it dosn't happen again since I am not fond
    > > of getting up at 3:00am to reload the router. Does anyone have a clue
    > > about what I should be looking for?
    > >
    > > It is a 1605R router using 12.0(7)T2 IOS cisco
    > > c1600-oy-mz.120-7.T2.bin
    Mark, Jul 21, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Carmen Gauvin-O'Donnell

    Spoofing vulnerability?

    Carmen Gauvin-O'Donnell, Feb 8, 2005, in forum: Firefox
    Replies:
    12
    Views:
    872
    Ed Mullen
    Feb 14, 2005
  2. Javier
    Replies:
    3
    Views:
    543
  3. Replies:
    1
    Views:
    1,496
  4. TheDood

    Cisco NAC & IP spoofing

    TheDood, Aug 13, 2006, in forum: Cisco
    Replies:
    0
    Views:
    470
    TheDood
    Aug 13, 2006
  5. Replies:
    2
    Views:
    829
    Maarten Carels
    Mar 7, 2007
Loading...

Share This Page