Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7745
Views
5
Helpful
5
Replies

Why is local IP (192.168.1.1) being routed through internet routers?

Go to solution
vzvonarov1
Level 1
Level 1

‎09-11-2012 07:08 PM - edited ‎03-04-2019 05:32 PM

I have a network with a couple of subnets (let's say 192.168.50.0/24 and 192.168.51.0/24) connected to a Cisco router that is configured for NAT (PAT). The router's WAN interface is an outside global IP address. The weird thing is - if I ping the IP 192.168.1.1 from one of my clients on the 192.168.50.0/24 network, I get a response. Traceroute tells me that 192.168.1.1 is on the internet side of my Cisco router (it gets a few hops past my cisco router) and running an OS discovery option with nmap on 192.168.1.1 tells me it's a cisco device.

I actually have a few questions about this:

1. Is this expected behaviour? Why would a local IP address be routed on the internet? I thought that the ICMP packet would be dropped when the router figured out that it has no route for that network, and the default route goes through a WAN interface, but it appears this is not the case.

2. If this is indeed what's happening, is this a security problem?

3. How can I stop this? Are ACLs the only way, or is there some option in IOS to stop this from happening?

Labels:
Preview file
13 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-11-2012 07:52 PM

Hi Vitaliy,

Obviously, your provider is using private IP addresses in his own network, and he does not properly prevent privately addressed packets from entering/leaving his network.

1. Is this expected behaviour? Why would a local IP address be routed on  the internet? I thought that the ICMP packet would be dropped when the  router figured out that it has no route for that network, and the  default route goes through a WAN interface, but it appears this is not  the case.

Well, a private IP address is just like any other address. Apart from the fact that IP addresses are set aside for free use in internal networks, there is nothing different about about processing privately addresses IP packets. The router does not distinguish between private and public IP addresses, nor does it distinguish between LAN and WAN interfaces. Simply, your router receives a packet, determines in the routing table that the destination can be reached via the WAN interface, and sends the packet out that interface. The destination happens to receive that packet and to know the route back, so it responds. Note that in your particular case, the destination 192.168.1.1 responds to the global IP address used on your WAN interface thanks to the PAT configured on your router.

2. If this is indeed what's happening, is this a security problem?

I do not see this primarily as a security threat but surely an annoyance. By definition, privately addresses flows should be contained within the scope of the network they are used in, and should not leave the administrative domain in which they are legally used. However, there may be security issues involved - think of an attacker in the ISPs network having the same IP address as your private network. Obviously, the ISP has no problems sending privately addresses IP packets to your global IP, so if it happens to pass through the PAT into your internal network, the packet is considered to be sent from a machine on the local network. Now think of TCP SYN floods, ICMP attacks, etc. - all of them can be accomplished easily and the attacker is safe because it is considered to be local.

3. How can I stop this? Are ACLs the only way, or is there some option in IOS to stop this from happening?

ACLs are probably the way to go here. I am not aware of any automatized gadget in IOS that would magically stop privately addressed flows from entering or leaving an interface. What is possible is the unicast reverse path forwarding check, or uRPF - you check whether the source IP address of a packet received on an interface matches the route back to its sender. If a packet comes in an interface but the source IP address is reachable, according to your routing table, via a different interface, the packet can be dropped. This won't prevent privately addressed packets from flowing through your router per se but at least, it can prevent someone from outside from spoofing your own local address ranges.

The uRPF is configured on individual interfaces for ingress traffic using the command

ip verify unicast source reachable-via rx allow-default

The allow-default keyword in this case allows incoming packets to be source-matched to the default route. This is necessary for a WAN interface.

There are RFCs that comment on best practices for ISPs and customers, and you may be interested in reading them even if you are a customer of an ISP - just to have an idea of what protections should a good ISP and customer do - check RFCs 2827, 3013 and 3704.

Please feel welcome to ask further!

Best regards,

Peter

View solution in original post

5 Replies 5

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-11-2012 07:52 PM

Hi Vitaliy,

Obviously, your provider is using private IP addresses in his own network, and he does not properly prevent privately addressed packets from entering/leaving his network.

1. Is this expected behaviour? Why would a local IP address be routed on  the internet? I thought that the ICMP packet would be dropped when the  router figured out that it has no route for that network, and the  default route goes through a WAN interface, but it appears this is not  the case.

Well, a private IP address is just like any other address. Apart from the fact that IP addresses are set aside for free use in internal networks, there is nothing different about about processing privately addresses IP packets. The router does not distinguish between private and public IP addresses, nor does it distinguish between LAN and WAN interfaces. Simply, your router receives a packet, determines in the routing table that the destination can be reached via the WAN interface, and sends the packet out that interface. The destination happens to receive that packet and to know the route back, so it responds. Note that in your particular case, the destination 192.168.1.1 responds to the global IP address used on your WAN interface thanks to the PAT configured on your router.

2. If this is indeed what's happening, is this a security problem?

I do not see this primarily as a security threat but surely an annoyance. By definition, privately addresses flows should be contained within the scope of the network they are used in, and should not leave the administrative domain in which they are legally used. However, there may be security issues involved - think of an attacker in the ISPs network having the same IP address as your private network. Obviously, the ISP has no problems sending privately addresses IP packets to your global IP, so if it happens to pass through the PAT into your internal network, the packet is considered to be sent from a machine on the local network. Now think of TCP SYN floods, ICMP attacks, etc. - all of them can be accomplished easily and the attacker is safe because it is considered to be local.

3. How can I stop this? Are ACLs the only way, or is there some option in IOS to stop this from happening?

ACLs are probably the way to go here. I am not aware of any automatized gadget in IOS that would magically stop privately addressed flows from entering or leaving an interface. What is possible is the unicast reverse path forwarding check, or uRPF - you check whether the source IP address of a packet received on an interface matches the route back to its sender. If a packet comes in an interface but the source IP address is reachable, according to your routing table, via a different interface, the packet can be dropped. This won't prevent privately addressed packets from flowing through your router per se but at least, it can prevent someone from outside from spoofing your own local address ranges.

The uRPF is configured on individual interfaces for ingress traffic using the command

ip verify unicast source reachable-via rx allow-default

The allow-default keyword in this case allows incoming packets to be source-matched to the default route. This is necessary for a WAN interface.

There are RFCs that comment on best practices for ISPs and customers, and you may be interested in reading them even if you are a customer of an ISP - just to have an idea of what protections should a good ISP and customer do - check RFCs 2827, 3013 and 3704.

Please feel welcome to ask further!

Best regards,

Peter

Go to solution
vzvonarov1
Level 1
Level 1
In response to Peter Paluch

‎09-11-2012 08:43 PM

Thank you for the information, as well as the detailed explanation. I always assumed that the router just kept internal IPs from going out WAN interfaces, but your explanation makes it obvious that this assumption was wrong.

I will add some rules to my existing ACLs to address this issue, and will do some reading about uRPF, but it definately sounds like something I should be using. Thank you for suggesting it, and outlining how to use it - that should make it very easy to implement.

As someone who is always interested in learning anything new about computers and networks, and who might someday work for a large ISP, the RFCs should be an interesting read.

Thanks again.

0 Helpful

Go to solution
10.0.0.0.1
Level 1
Level 1
In response to vzvonarov1

‎10-19-2017 07:37 AM - edited ‎12-07-2021 02:45 AM

192.168.l.l is a special ip number to access your local wireless router device. Many brands use variations such as Belkin 192.168.2.1, Cisco 192.168.l.l Linksys, D-link 192.168.0.1, NETGEAR 192.168.o.1.1 ip address 192.168.1.1. You can change your default gateway through the modem if you wish. For this, you can enter a number like lan and wlan settings like dhpc client 1.0.0.1 - 1.0.0.xxx.

For further assistance and support, please check out our 10.0.0.0.1 - 10.0.0.1 router IP Details support page.
0 Helpful

Go to solution
modemtr
Level 1
Level 1

‎11-01-2017 02:55 PM

If you enter 192.168.l.l to 192.168.1.1 modem router administrator password & login IP addresses. 192.168.1.1 IP addresses is the address of your ADSL modem administration panel. All the manufacturers of modems provides a latest software in their modems for its easy and  user friendly management. The software that is installed on the modem provides you various features including configuring the new settings, customizing other important options. 

0 Helpful

Go to solution
JonsM
Level 1
Level 1
In response to modemtr

‎08-11-2020 07:46 PM - edited ‎08-11-2020 07:46 PM

If you are using this router, controlling the devices connected to your network and access permissions is very simple thanks to the router’s mobile application. It also offers access to their programs to Alexa or Echo, who assist them for the uninhabited dragon during the day.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card