cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
643
Views
0
Helpful
5
Replies

pix syslog server

ali.asghar
Level 1
Level 1

i keep getting this error: <163>May 19 2003 23:13:57: %PIX-3-106011: Deny inbound (No xlate) udp src outside:193.146.77.31/1027 dst outside:67.104.55.209/137

in the documentation it says it's a security breach, but i've been getting this for a while. is it something i should be concerned about? please advise.

thanks

5 Replies 5

devam
Level 1
Level 1

Hi,

Me also confused with this log message. If you compare the Syslog message from firewall and the documentation, even the numbers are same (ie 106011) the Prefixes are different(ie syslog levels are different). One is level 3 and another one is 7.

If you come across the solution please let me know.

Thank you.

Murthy.

mostiguy
Level 6
Level 6

It is probably a windows box who is trying to resolve the name of that machine via a directed Netbios query for some reason. Does 67.104.55.209 offer any services to the outside world? Is it part of a global or static pool?

it's the ip out of the global range 67.104.55.209-67.104.55.222.

it not only does it to 209, but also other ips as well. i do have websense integrated with pix, could that be causing this? thanks...

Since the IP is in use, it probably just a directed netbios name query.

If you want to see exactly what I am talking about, install ethereal on a windows machine. Start a capture, and open a command prompt.

type nbtstat -a ip.address

You should see in ethereal the UDP based netbios nameservice requests go out.

WIndows tries these when other name resolution methods fail. A lot of sites block all outbound netbios traffic, so that is why you don't see more of them.

Do you have reverse dns entries for those ip addresses? That may be a contributing factor - when http requests go from that ip to a windows server, and it tries to log it, and do a reverse dns lookup, if that fails, windows might try the directed NBNS query

kdagostino
Level 1
Level 1

I have received similar type messages - more than likely you are being port scanned from a remote host trying to gain access to your network. Since it is UDP it is probably spoofed - so you will not be able to trace to it. It is a form of DDOS attack.

http://.isc.incidents.org

Contact your ISP's abuse dept and see if they can assist in blocking the intruders. Other than that if you can find a way to stop them let me know too...

Review Cisco Networking for a $25 gift card