topic hi,is 217.160.208.160 your in Network Security

How can I find the infected device on my LAN?

erwin1969 — Tue, 12 Mar 2019 05:29:33 GMT

We are getting blacklisted every day because of traffic from our WAN IP to an External IP address.

Since I have blocked the external IP address in an ACL, we aren't blacklisted anymore.

In the ACL, I see the matches slowly increasing. But I don't see any Nat translation to this External address.

How can I find the infected device on my Network?

Which firewall are you using

Andre Neethling — Thu, 12 Feb 2015 07:58:44 GMT

Which firewall are you using?

If ASA then you can use the command "show conn" then look at a host making multiple connections from random source ports.

Hi Andre, it's no ASA, but a

erwin1969 — Thu, 12 Feb 2015 18:47:25 GMT

Hi Andre,

it's no ASA, but a Cisco 891 router.

I have created following line in the ACL: 5 deny ip any host 217.160.208.160 (8 matches)

There isn't a lot of traffic to this WAN address, mainly at night or in the morning, but enough to get listed by CBL.

Any idea how I can monitor traffic or find out who is trying to connect to 217.160.208.160?

hi,is 217.160.208.160 your

johnlloyd_13 — Fri, 13 Feb 2015 03:48:15 GMT

hi,

is 217.160.208.160 your public WAN IP?

you could leverage netflow on your 891.

see link below:

http://wannabelab.blogspot.com/2013/11/configuring-netflow.html

I'm guessing that the IP you

Andre Neethling — Fri, 13 Feb 2015 05:27:18 GMT

I'm guessing that the IP you provided (you suspect) is the destination host that the infected machine is trying to contact?

You can try to create an extended ACL with any source and destination 217.160.208.160 then set a debug on all matching traffic. Something like this below.

router(config)access-list 100 permit ip any host 217.160.208.160

router#debug ip packet 100 detail

Or you can leverage netflow if you have a collector set up as has been recommended by johnlloyd_13