05-28-2013 04:20 PM - edited 03-07-2019 01:36 PM
Hi, my router is hit by Fake traffic from IP 10.10.101.33
i can see it in my accounting packets.
10.10.101.33 doesnt exist in my LAN, its not a valid IP.
sh ip route 10.10.101.33
% Subnet not in table
Default route goes to Cisco ASA.
How can i find out MAC of this IP or any other way to find out where this IP belong in my LAN.
thats what i see in accounting.
and on firewall, all i see is SYN packets coming from inside and going to outside.
sh ip accounting | i 10.10.101.33
10.10.101.33 125.113.240.185 1 48
10.10.101.33 221.173.218.239 1 48
10.10.101.33 125.113.240.186 1 48
10.10.101.33 221.173.218.231 1 48
10.10.101.33 125.113.240.179 1 48
10.10.101.33 221.173.218.254 1 48
10.10.101.33 221.173.218.255 2 96
10.10.101.33 221.173.218.247 1 48
10.10.101.33 125.113.240.162 2 96
10.10.101.33 125.113.240.155 1 48
10.10.101.33 125.113.240.147 1 48
10.10.101.33 125.113.240.148 1 48
10.10.101.33 125.113.240.136 2 96
10.10.101.33 125.113.240.137 4 192
10.10.101.33 125.113.240.138 1 48
10.10.101.33 221.173.219.142 2 96
10.10.101.33 221.173.219.141 2 96
10.10.101.33 125.113.240.209 2 96
10.10.101.33 221.173.219.133 1 48
10.10.101.33 125.113.240.211 2 96
10.10.101.33 221.173.219.157 2 96
10.10.101.33 125.113.240.194 1 48
10.10.101.33 221.173.219.109 1 48
10.10.101.33 221.173.219.108 2 96
10.10.101.33 125.113.240.52 1 48
10.10.101.33 125.113.240.53 1 48
10.10.101.33 125.113.240.43 1 48
10.10.101.33 221.173.219.118 1 48
10.10.101.33 221.173.219.117 2 96
10.10.101.33 221.173.219.94 2 96
10.10.101.33 221.173.219.93 2 96
10.10.101.33 221.173.219.86 1 48
10.10.101.33 125.113.240.120 1 48
10.10.101.33 125.113.240.121 1 48
10.10.101.33 221.173.219.46 2 96
10.10.101.33 125.113.240.112 1 48
10.10.101.33 125.113.240.113 1 48
10.10.101.33 221.173.219.38 2 96
10.10.101.33 125.113.240.104 2 96
10.10.101.33 125.113.240.105 1 48
10.10.101.33 221.173.219.54 2 96
10.10.101.33 221.173.219.15 2 96
10.10.101.33 125.113.240.79 1 48
10.10.101.33 221.173.219.23 1 48
10.10.101.33 125.113.240.70 1 48
10.10.101.33 125.113.240.71 1 48
Logs on Cisco ASA
sh conn long | inc 10.10.101.33
TCP OUTSIDE:39.152.53.111/3306 (39.152.53.111/3306) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
TCP OUTSIDE:39.152.53.111/1433 (39.152.53.111/1433) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
TCP OUTSIDE:39.152.53.110/135 (39.152.53.110/135) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
TCP OUTSIDE:39.152.53.110/3306 (39.152.53.110/3306) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
TCP OUTSIDE:121.14.53.120/1433 (121.14.53.120/1433) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
TCP OUTSIDE:39.152.53.110/1433 (39.152.53.110/1433) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
TCP OUTSIDE:222.72.1.181/135 (222.72.1.181/135) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
TCP OUTSIDE:121.14.53.119/6673 (121.14.53.119/6673) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
TCP OUTSIDE:39.152.53.109/6667 (39.152.53.109/6667) INSIDE:10.10.101.33/8888 (10.10.101.33/8888), flags saA, idle 0s, uptime 0s, timeout 30s, bytes 0
05-28-2013 07:09 PM
Try having a look in the arp table.
Show arp | inc x.x.x.x
Sent from Cisco Technical Support iPhone App
05-28-2013 10:36 PM
Once you have the MAC address using what Bilal wrote, enter "show mac address-table xxxx.xxxx.xxxx" to find the interface it's connected to.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide