The ASA 5505 hands out ip address via DHCP to the Cisco AP. If we block the computer's current ip address, it will get another ip address before we find it. We want to nuke this problem ASAP before we get shut down.

d

Ok in that case, check if the AP allows MAC filtering and ban the MAC of the PC. Depending on the AP model I think you may have the option to do it.

In any case, if you just block this guy's IP with an ACL for example, I dont think the IP address will change so quickly, you are just blocking his path, not forcing him to renew his IP. The IP should remain as long as the lease is good.

Let me know if you catch him

Hi Douglas, were you able to catch this guy?

Hi

I have not, but still working on it. Installed Kiwi Syslog to monitor network activity but that is about it. This weekend, when I have a chance, I will post more details of what I have done and plan to do.

d

If I may come with some suggestions.

You know the mac address.

since you know the mac address then just go to the firewall do a "sh arp | i  xxxx.yyyy.zzzz" the last string is the mac address of the system you want to find out. that will give you the address.

Do a ping -a "ip-address" on a windows machine in the same network.

That will if you are lucky give you the windows name for the machine.

go and shut down the wireless of that machine

is the problem gone ?

yes = you nailed it now do a forensic on whay this happened and think out a way to not make it happen again.

no= sorry. try and try again.

if you use kiwi syslog then you can easily get the information you need (if you are logging it) from the syslog server.

then ask the isp for the information again.

then just do a grep of the ip address that (yes you can use gnu grep for windows) you got from them of the file and it will tell you who the agresor is.

If I where you I would go and buy the kiwi syslog, why ? well because its a good product and compressing and splitting files and so on is a realy good thing that you get with the bought version.

If possibe I log everything. As I see it it is better to have to much information than to little.

Another good tool to use with kiwi is tail. fx wintail.

just a heads up.

HTH

Good luck

Hi

Things got interesting today when I discovered a MAC Address associated with an "Interesting" public ip address and ASA DHCP leased internal ip address. I know arp and ip addresses can be spoofed. The network associated with this issue has six VLAN's. I am using ASDM 6.4(5) running on 8.4(2) and the CNA 6.5.3. It has been very hard to associate the MAC Address with the exact switch and port as the VLAN's are trunked to each switch. The mac-address table has not yielded an clues. Any suggestions on tracking down this port? All suggestions has been futile.

d

First of all skip the graphical stuff and start using the cli.

it will give you a better understanding.

Second yes mac and ip addresses can be spoofed, but that has no real bearingin this case.

Third

Follow the mac address from the switch nearest the firewall.

use the cli.

To find what mac address is on what port use the command

sh mac-address | i xxxx.yyyy.zzzz

That will give you the port that the mac address is connected to for that switch.

Now connect to the switch that the link goes to and repeat the command.

(you can use copy paste)

do this until you find the port that only has a computer installed on it.

thats the one.

or if you are able to you can use the "traceroute mac ip" command.

set one of the ip addresses to trace between to the ASA firewall.

that will give you the start and endpoint if the network is setup to alllow it.

I notice that there is nomore talk about the wireless.

if you think that the answers helps you please rate.

Good Evening!

Thanks for taking the time to help me out. The conflcker traffic has not surfaced in the last week or so, though I still believe the infected pc is still in the building.

Back to the topic at hand: How can several public ip address's be associated to a MAC Address which also associated with a private ip address (10.x.x.x) handed out via the ASA's DHCP server? Tomorrow, I will start with the switch closest to the firewall and start monitoring using your suggestions.

Part of the problem is there is very little network documentation. Until recently, we gave perminent tenants, network access and provided Wireless Internet access to the hotel guests. Now that has changed with the conflicker traffic issue and the strange stuff we see while we are monitoring the network.

We now change the passwords on the wireless AP (for the hotel guests) on a weekly basis so the perminant building tenants do not use all the bandwidth accessing sites or performing activities their internal wired networks prevent them from doing. The hotel staff gives out the password to any one who asks. Arrgghh.

Thanks for all your help.

d

Hi

I am back as ATT is still sending us warnings. We now want to block all but well known ports until we find this pc. What ports should we keep open? And should block the source and destination ports? My instinct says yes on the latter. Any help is greatly appreciated.

d