Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
8
Replies

Unknown Destination IP in Access List Log

jazzamac
Level 1
Level 1

‎04-16-2021 06:41 PM

I've got an access list denying SSH on my WAN IP. I'm logging the denied attempt.

In the logs, the destination is showing an IP that isn't my WAN IP. It also isn't the same IP every time, but they are all in the 4*.*.*.* range.

 

I thought the destination would be my WAN IP. Am I missing anything?

Labels:
0 Helpful
8 Replies 8

Kevin Kilgore
Level 1
Level 1

‎04-16-2021 06:49 PM

What model device is it?

0 Helpful

jazzamac
Level 1
Level 1
In response to Kevin Kilgore

‎04-16-2021 08:19 PM

It's a 1921 with 2 VDSL EHWICs

0 Helpful

Kevin Kilgore
Level 1
Level 1

‎04-16-2021 08:26 PM

I imagine this could be a lengthy Q&A since it's a strange issue. In hopes of avoiding that, posting your config is probably the best way to go forward.

0 Helpful

Kevin Kilgore
Level 1
Level 1
In response to Kevin Kilgore

‎04-16-2021 08:36 PM - edited ‎04-16-2021 08:38 PM

Actually, you could just tell me the IP and subnet mask of your WAN interface, and are you running a routing protocol with your ISP?

0 Helpful

jazzamac
Level 1
Level 1
In response to Kevin Kilgore

‎04-16-2021 11:41 PM

My WAN connection is a VDSL2 service that uses IPoE which assigns a sticky IP to Eth 0/0/0.

I also have a second VDSL service that uses PPPoE.

 

!
! Last configuration change at 13:53:42 AEST Sat Apr 17 2021 by admin
! NVRAM config last updated at 22:19:48 AEST Fri Apr 16 2021 by admin
!
version 15.7
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
no service password-encryption
!
hostname RT01
!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.157-3.M8.bin
boot-end-marker
!
!
no logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_access local
aaa authentication login SSLVPN_AAA local
!
!
!
!
!
!
aaa session-id common
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
!
!
!
!
!
!
!
!
!
!
!
ip name-server 10.0.0.21
ip name-server 10.0.0.22
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!
parameter-map type inspect global
 max-incomplete low 18000
 max-incomplete high 20000
 nbar-classify
multilink bundle-name authenticated
!
!
crypto pki trustpoint SSLVPN_CERT
 enrollment selfsigned
 subject-name CN=RT01
 revocation-check crl
 rsakeypair SSLVPN_KEYPAIR
!
!
crypto pki certificate chain SSLVPN_CERT
 certificate self-signed 01
******
  	quit
license udi pid CISCO1921/K9 sn **********
!
!
object-group service INTERNAL_UTM_SERVICE 
!
object-group network Others_dst_net 
 any
!
object-group network Others_src_net 
 any
!
object-group service Others_svc 
 ip
!
object-group network Web_dst_net 
 any
!
object-group network Web_src_net 
 any
!
object-group service Web_svc 
 ip
!
object-group network local_cws_net 
!
object-group network local_lan_subnets 
 any
!
object-group network vpn_remote_subnets 
 any
!
username ***** privilege 15 secret 5 **********

!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
 firmware filename flash:VA_B_38V_d24m.bin
!
controller VDSL 0/1/0
 firmware filename flash:VA_B_38V_d24m.bin
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-any Others_app
 match protocol https
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol sip
 match protocol ftp
 match protocol dns
 match protocol icmp
class-map type inspect match-any Web_app
 match protocol http
class-map type inspect match-all Others
 match class-map Others_app
 match access-group name Others_acl
class-map type inspect match-all Web
 match class-map Web_app
 match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
 class type inspect Web
  inspect 
 class type inspect Others
  inspect 
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
! 
!
crypto vpn anyconnect usbflash0:/webvpn/anyconnect-macos-4.10.00093-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect usbflash0:/webvpn/anyconnect-win-4.10.00093-webdeploy-k9.pkg sequence 2
!
crypto isakmp policy 1
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address pd-ipv6 ::1:0:0:0:1/64
 ipv6 enable
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0/0/0
 description ABB
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
!
interface ATM0/1/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0/1/0
 ip address dhcp
!
interface Ethernet0/1/0.2
 encapsulation dot1Q 2
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface Virtual-Template1
 ip unnumbered Loopback0
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp mtu adaptive
 ppp authentication chap callin
 ppp chap hostname *@*.*.*
 ppp chap password 0 *********
!
ip local pool SSLVPN_POOL 10.0.0.180 10.0.0.199
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
!
ip nat inside source list nat-list interface Ethernet0/0/0 overload
!
ip access-list extended Disable_SSH
 permit tcp 10.0.0.0 0.0.0.255 any eq 22 log
 deny   ip any any log
ip access-list extended Others_acl
 permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
 permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
 permit ip object-group local_lan_subnets any
!
logging origin-id hostname
logging source-interface Ethernet0/0/0
logging host *.*.*.* transport udp port *
!
!
snmp-server community HomeRO RO
access-list 1 permit 10.0.0.0 0.0.0.255
!
!
!
ipv6 access-list al-ipv6-e0-in
 permit icmp any any
 permit tcp any any established
 permit udp any any eq 546
 permit udp any eq domain any
!
control-plane
!
!
line con 0
 logging synchronous
 login authentication local_access
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class Disable_SSH in
 exec-timeout 30 0
 timeout login response 60
 privilege level 15
 logging synchronous
 login authentication local_access
 autocommand  terminal monitor
 autocommand-options nohangup
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 216.239.35.0
ntp server 216.239.35.8
ntp server 216.239.35.4
ntp server 216.239.35.12
event manager applet storePreferences
 event none sync yes
 action 1 file open LOG usbflash0:ccpexp/preferences.JSON w+
 action 3 file close LOG
!
!
webvpn gateway SSLVPN_GATEWAY
 ip interface Ethernet0/0/0 port 4443
 ssl trustpoint SSLVPN_CERT
 inservice
 !
webvpn context SSLVPN_CONTEXT
 virtual-template 1
 aaa authentication list SSLVPN_AAA
 gateway SSLVPN_GATEWAY
 !
 ssl authenticate verify all
 inservice
 !
 policy group SSLVPN_POLICY
   functions svc-enabled
   svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
   svc split include acl 1
   svc dns-server primary 10.0.0.21
   svc dns-server secondary 10.0.0.22
 default-group-policy SSLVPN_POLICY
!
end
0 Helpful

paul driver
VIP
VIP
In response to jazzamac

‎04-16-2021 11:54 PM

Hello

as this rtr looks like its attached to the internet edge and the line vty access-list is ingress 

its possible you could be being scanned from these unknown addresses on ssh.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

jazzamac
Level 1
Level 1
In response to paul driver

‎04-17-2021 03:06 AM

Here is an example log:

RT01: .Apr 17 2021 20:01:00.398 AEST: %SEC-6-IPACCESSLOGP: list Disable_SSH denied tcp 1.129.107.***(36451) -> 44.206.104.***(22), 1 packet

1.129.107.*** is the public IP of my mobile broadband service I am testing from. 44.206.104.*** is an AWS IP. My WAN IP is not in that range.

0 Helpful

Kevin Kilgore
Level 1
Level 1

‎04-17-2021 06:03 AM

That's bizarre.  Are you sure your IP isn't in that range?  What's you subnet mask?

If you're correct, this looks like a massive fail by your ISP.  I don't even know how they would be sending you those packets. 

 

It would be interesting to do a wireshark on that link and see if the packets are being forwarded to you as if you own that IP space, or if there's an arp first as if that IP is connected.  Look at destination MAC of the packet.  Is it a broadcast?

 

Maybe tap into that link with your laptop and see if you can ping the address while wiresharking your session.

 

Not sure where you go from there or what you can do about it, but maybe you'll pull on a thread that unravels.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card