Tracking down rouge clients across WAN links.

Discussion in 'Cisco' started by edavid3001@gmail.com, Sep 7, 2006.

  1. Guest

    I have CISCO routers and switches everywhere.

    I am currently seeing on my firewall logs, due to default routing, ICMP
    traffic to and from US military IP addresses. I have used Ethereal and
    tracked both source IP's as coming from one of my Cisco routers which
    connects many remote locations.

    I have telneted into each of these remote locations and did SHOW ARP
    and SHOW IP CACHE and see no reference to the rouge IP's.

    In the old days, I'd take over these remote machines and packet sniff
    on the hubs. But I am in a switched network and there are too many
    remote locations. I do have SNMP enabled on most all my PC's,
    switches, and routers. How do I track these IP address down to a
    remote network / port?
     
    , Sep 7, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I have CISCO routers and switches everywhere.


    >I am currently seeing on my firewall logs, due to default routing, ICMP
    >traffic to and from US military IP addresses. I have used Ethereal and
    >tracked both source IP's as coming from one of my Cisco routers which
    >connects many remote locations.


    What are your router ntp servers set to? Some of the major ntp servers
    are run by the Naval Observatory.
     
    Walter Roberson, Sep 7, 2006
    #2
    1. Advertising

  3. Merv Guest

    Do the source IP address tlook like they or valid or are they spoofed ?

    Do you implement source IP address verifcation at the edge of your
    network ?
     
    Merv, Sep 7, 2006
    #3
  4. Guest

    from 129.229.207.22 to 42.229.33.91
    from 33.91.129.229 to 33.20.42.229
    from 229.42.17.126 to 16.126.38.0

    This is being detected by my firewall as address spoofing. I have a
    monitor port between my WAN router and my firewall with ethereal, and I
    can sniff this traffic. The source MAC is the MAC of the router,
    destination is that of my firewall.

    Firewall reports traffic on the inner NIC.

    I see no other traffic to/from these IP's. No UDP to NTP.

    These are not used internally.

    My thought is that someone setup a VPN bridge device and this is
    somehow tripping over onto our LAN because the client device is powered
    off. Or possibly dialup RAS, which is prohibited on this specific
    network.

    I have done an IP SHOW CACHE on one router and found cache entrys for a
    few of these network. I guess I need to setup ACL's to block these
    hosts and log it, then see if it is coming from this network. ARP
    shows nothing on the router nor switches. This specific network
    doesn't have SNMP on the clients.
     
    , Sep 7, 2006
    #4
  5. Guest

    Using ACL's I've determined which network is generating the traffic.
    Now, how do I remotely figure out where it is coming from?

    It's a switched network, so packet sniffing won't work unless I had a
    monitor port and device hooked to it. I don't.

    Is there a way to see the MAC address of access log violators?
     
    , Sep 12, 2006
    #5
  6. In article <>,
    <> wrote:
    >Using ACL's I've determined which network is generating the traffic.
    >Now, how do I remotely figure out where it is coming from?


    >It's a switched network, so packet sniffing won't work unless I had a
    >monitor port and device hooked to it. I don't.


    >Is there a way to see the MAC address of access log violators?


    In later IOS (earlier didn't have this), you can change the 'log'
    to 'log-input' to get the MAC address.
     
    Walter Roberson, Sep 12, 2006
    #6
  7. Guest

    > In later IOS (earlier didn't have this), you can change the 'log'
    > to 'log-input' to get the MAC address.


    Exactly what I am looking for. Thank you very much. I can't tell you
    how many hours I've spent looking for that command (not being the Cisco
    guy for our network..)

    I found out that one is a
    http://www.jkmicro.com
    device embeded into one of these;
    http://www.synaccess-net.com/products.php?id=np

    My guess is the guy didn't configure this page;
    http://www.synaccess-net.com/demotwNp/synNwCfg.htm

    correctly on the device.

    That's one down, 3 more to go. Thanks!
     
    , Sep 12, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Wes Kaufmann

    Connecting two 6509's across a WAN/MAN

    Wes Kaufmann, Jul 14, 2003, in forum: Cisco
    Replies:
    2
    Views:
    2,181
    melanthor
    Jul 17, 2003
  2. Rob
    Replies:
    5
    Views:
    8,074
  3. =?Utf-8?B?RW5mb1BhdWw=?=

    Site Links and Physical WAN Links

    =?Utf-8?B?RW5mb1BhdWw=?=, Mar 20, 2005, in forum: MCSE
    Replies:
    2
    Views:
    1,142
    =?Utf-8?B?RW5mb1BhdWw=?=
    Mar 22, 2005
  4. Edw. Peach

    Tracking Someone Tracking Me

    Edw. Peach, Jun 15, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    718
    Olden Doode
    Jul 7, 2005
  5. Replies:
    2
    Views:
    1,112
    Walter Roberson
    Aug 22, 2007
Loading...

Share This Page