Can anyone explain why I'm getting this in my pix logs
2003-04-23 02:10:17 Local4.Warning 10.0.13.253 Apr 23 2003 02:09:03: %PIX-4-106023: Deny udp src inside:126.96.36.199/137 dst outside:188.8.131.52/137 by access-group "inbound-in"
We use a 10.0.0.0 range on our network.
184.108.40.206.1 is not a valid host on our network.
Thanks for any help!
Looks like a Client/PC on your inside network is trying to access the outside, try to see if you can ping that address from the inside also port 137 is a NETBIOS Name Service used by UDP and TCP, in your case it's a UDP packet that is trying to access the Outside. Makesure that there isn't any PC's/Servers on your inside that is configured with the 220.127.116.11 IP address.
Hope this helps..
this should be very helpful to you.
do a search on the message code....example in your case 106023.
hope this helps.
Yeah I guess I should have mentioned that I have tried to ping the 18.104.22.168 address and I do not get a response. I am currently sniffing all traffic that goes to the inside interface on my pix and I found that the data being sent is A........... CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..
which appears to be a legitimate netbios broadcast. The only concern I have is that the 22.214.171.124 address scheme is not in use on our network and the it seems to be trying to get to 126.96.36.199 which is an address over in Asia (concern)
but atleast I know no damage is being done, cuase it is being blocked.
188.8.131.52 is sometimes used as a loop back address or other times for testing purposes. Traffic can source from a loop back adaptor or from a second NIC on a server and make its way onto the network. Because it is not a valid address on the network, traffic will never get back to the computer generating this traffic, but this does not stop the traffic from continuing to be sent out. More than likely, there is no malicious intent behind these packets. Its probably a mis-configured server/workstation on your network. If this traffic follows a regular pattern, you may be able to track it down with the help of a sniffer. Go from VLAN to VLAN until you find the one the traffic is sourcing from. Then narrow down your span session until you find the source port. This may be a lot of work and its up to you whether it's worth the effort. You may be content that the traffic is being denied be the firewall.
Good info. Thanks for your reply. Ive been applying access lists on our core router in an attempt to try to narrow it down to a physical link on the network. Also I have been utilizing port monitor (thats how I was able to capture the data being sent with ethereal) that actual data that is being transmitted seems to be a legitimate NetBIOS query I just dont understand why it is directed at host 184.108.40.206 which I believe to be located in Australia.
Thanks for the info. Dont know that I will spend much time on this .because I believe the traffic being transmitted is a legitimate query and not a worm or malicious attack.