Which firewall are you using

erwin1969 · ‎02-11-2015

We are getting blacklisted every day because of traffic from our WAN IP to an External IP address.

Since I have blocked the external IP address in an ACL, we aren't blacklisted anymore.

In the ACL, I see the matches slowly increasing. But I don't see any Nat translation to this External address.

How can I find the infected device on my Network?

Andre Neethling · ‎02-11-2015

Which firewall are you using?

If ASA then you can use the command "show conn" then look at a host making multiple connections from random source ports.

erwin1969 · ‎02-12-2015

Hi Andre,

it's no ASA, but a Cisco 891 router.

I have created following line in the ACL: 5 deny ip any host 217.160.208.160 (8 matches)

There isn't a lot of traffic to this WAN address, mainly at night or in the morning, but enough to get listed by CBL.

Any idea how I can monitor traffic or find out who is trying to connect to 217.160.208.160?

johnlloyd_13 · ‎02-12-2015

hi,

is 217.160.208.160 your public WAN IP?

you could leverage netflow on your 891.

see link below:

http://wannabelab.blogspot.com/2013/11/configuring-netflow.html

Andre Neethling · ‎02-12-2015

I'm guessing that the IP you provided (you suspect) is the destination host that the infected machine is trying to contact?

You can try to create an extended ACL with any source and destination 217.160.208.160 then set a debug on all matching traffic. Something like this below.

router(config)access-list 100 permit ip any host 217.160.208.160

router#debug ip packet 100 detail

Or you can leverage netflow if you have a collector set up as has been recommended by johnlloyd_13

How can I find the infected device on my LAN?