UDP Broadcasts filling log on PIX

Discussion in 'Cisco' started by Mark M, Sep 12, 2005.

  1. Mark M

    Mark M Guest

    Hello

    Broadcasts on my internal LAN are hitting my PIX internal interface and
    making my logs hard to manage. Here is a snip:

    %PIX-3-710003: UDP access denied by ACL from 192.168.1.2/137 to
    inside:192.168.1.255/137

    The PIX internal interface is 192.168.1.123. I don't understand why a
    broadcast packet would show up as blocked traffic on the PIX since
    traffic is not attempting to transverse the interfaces.

    Do I have a config issue, or is this normal?

    Thanks,
    Mark M
     
    Mark M, Sep 12, 2005
    #1

    1. Advertisements

  2. Mark M

    Walter Roberson Guest

    :Broadcasts on my internal LAN are hitting my PIX internal interface and
    :making my logs hard to manage. Here is a snip:

    :%PIX-3-710003: UDP access denied by ACL from 192.168.1.2/137 to inside:192.168.1.255/137

    :The PIX internal interface is 192.168.1.123. I don't understand why a
    :broadcast packet would show up as blocked traffic on the PIX since
    :traffic is not attempting to transverse the interfaces.

    :Do I have a config issue, or is this normal?

    Broadcast traffic is sent to all hosts on the segment, including the PIX.
    The PIX considers -all- traffic that comes to its attention as requests
    to traverse the interfaces (except for the traffic addressed right
    to the PIX itself, that is.)

    You have a few options:

    a) permit the traffic through in your ACL. This will get rid of the
    message you are seeing, and replace it with a regular Deny message,
    that, if read carefully, will show that the traffic was denied because
    the source and destination interfaces were the same

    b) no message logging 710003
    will turn off the above message completely, along with the logging
    of some other kinds of UDP traffic that the PIX thinks are addressed to
    the PIX

    c) add an access-list entry matching that traffic but with "logging disable"
    to turn off the logging of that -specific- flow

    d) turn off NETBIOS on your Windows systems

    e) put your Windows hosts into a subnet that isn't the same as the
    inside interface subnet, and have an inside router to forward the traffic
    to the PIX. In this way the PIX won't be a receiver of the broadcasts.
     
    Walter Roberson, Sep 12, 2005
    #2

    1. Advertisements

  3. Mark M

    Mark M Guest

    Great...thanks for the information!
     
    Mark M, Sep 14, 2005
    #3

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. UDP broadcasts over router (e.g. DHCP) - only

  2. udp (0) -> udp (0) traffic ?

  3. Cisco Pix 515 Port forwarding range: 10000-50000 (tcp/udp)

  4. PIX VPN and DNS Problem with udp checksum errors

  5. Regarding UDP Broadcasts and Multicasts

  6. Unexplained outbound UDP traffic in firewall log

  7. udp broadcasts and browse master

  8. Trackdown IP sending Broadcasts to PIX?

Loading...