1. Home
  2. Cisco Systems
  3. Tracking down rouge clients across WAN links.

Tracking down rouge clients across WAN links.

I have CISCO routers and switches everywhere.

I am currently seeing on my firewall logs, due to default routing, ICMP traffic to and from US military IP addresses. I have used Ethereal and tracked both source IP's as coming from one of my Cisco routers which connects many remote locations.

I have telneted into each of these remote locations and did SHOW ARP and SHOW IP CACHE and see no reference to the rouge IP's.

In the old days, I'd take over these remote machines and packet sniff on the hubs. But I am in a switched network and there are too many remote locations. I do have SNMP enabled on most all my PC's, switches, and routers. How do I track these IP address down to a remote network / port?

Reply to
edavid3001
Loading thread data ...

What are your router ntp servers set to? Some of the major ntp servers are run by the Naval Observatory.

Reply to
Walter Roberson

Do the source IP address tlook like they or valid or are they spoofed ?

Do you implement source IP address verifcation at the edge of your network ?

Reply to
Merv

from 129.229.207.22 to 42.229.33.91 from 33.91.129.229 to 33.20.42.229 from 229.42.17.126 to 16.126.38.0

This is being detected by my firewall as address spoofing. I have a monitor port between my WAN router and my firewall with ethereal, and I can sniff this traffic. The source MAC is the MAC of the router, destination is that of my firewall.

Firewall reports traffic on the inner NIC.

I see no other traffic to/from these IP's. No UDP to NTP.

These are not used internally.

My thought is that someone setup a VPN bridge device and this is somehow tripping over onto our LAN because the client device is powered off. Or possibly dialup RAS, which is prohibited on this specific network.

I have done an IP SHOW CACHE on one router and found cache entrys for a few of these network. I guess I need to setup ACL's to block these hosts and log it, then see if it is coming from this network. ARP shows nothing on the router nor switches. This specific network doesn't have SNMP on the clients.

Reply to
edavid3001

Using ACL's I've determined which network is generating the traffic. Now, how do I remotely figure out where it is coming from?

It's a switched network, so packet sniffing won't work unless I had a monitor port and device hooked to it. I don't.

Is there a way to see the MAC address of access log violators?

Reply to
edavid3001

In later IOS (earlier didn't have this), you can change the 'log' to 'log-input' to get the MAC address.

Reply to
Walter Roberson

Exactly what I am looking for. Thank you very much. I can't tell you how many hours I've spent looking for that command (not being the Cisco guy for our network..)

I found out that one is a

formatting link
embeded into one of these;
formatting link
My guess is the guy didn't configure this page;
formatting link
correctly on the device.

That's one down, 3 more to go. Thanks!

Reply to
edavid3001

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.