I started to see ACL denied logs from private IP addresses (192.168.30.x, 192.168.20.x) that are not configured for this network. How I can find where these devices are connected to the network ?
I'll appreciate any ideas. Thanks!
Can you tell us a little about what happened? Do you route for these networks or were they seen on the outside interface of your router? Do you have a vpn tunnel established with anyone?
A week ago when I was reviewing the logs in the router, I started to see denied logs from private IPs that I don't know. The IPs (192.168.30.x and 192.168.20.x) are trying to get access to another private vlan (192.168.15.x) established for netbackup and that's configured in the router.
I don't have vpn tunnel.
It's going to be difficult to tell you other than if you don't know where they came from, as in you have no idea where this private subnet resides, then it's possibly someone trying to spoof an address as a private side address.
You state that you find this in the logs.
What does the logfile tell you ?
where is the acl setup ? (what interface)
Some ISP´s use "1918" addresses as transit networks.
so it could be a leakage from your isp.
if so then just block them in your router/firewall.
I have a vlan for the netbackup (192.168.15.x) with a standard ACL 15 to allow only access to specific machines. I'm seeing the denied logs for 192.168.30.x, 192.168.20.x IPs in reference to that ACL 15.
We have an ISP but the IPs are in the 10.10.x.x. range and the ISP is not connected to our network.
Yes, I'm blocking the traffic at the router.
Hi Maria, are those connections are UDP or TCP... if their are UDP it might be servers at your ISP side.... you might want to check with your ISP.
if you have hits on the ACL on an interface the traffic is generated somewhere in that direction.
So in this case the mystery traffic is generated somewhere at the same side as the netbackup.
So what I would do is to sniff the traffic so that you can find out the MAC address of the packets.
When you know the mac address you can go and check out the switches to findout what interface the traffic is generated from.
When you know what interface, you know where to find the unit that generates/forwards the traffic.
if you're lucky & the router supports the 'log-input' keyword on acls just change the "log" keyword on the acl to "log-input" and the router will include the source mac address in the syslog msg
for example, if you've got
access-list 15 permit tcp 192.168.1.0 0.0.0.255 any
access-list 15 deny ip any any log
change the last line to
access-list 15 deny ip any any log-input
and you'll get something like
%SEC-6-IPACCESSLOGP: list 15 denied tcp 192.168.30.10(6000) (G1 0009.1532.8029) -> 192.168.15.15(1024)
If the router doesn't support the 'log-input' keyword you're going to have to capture the offending traffic somehow and get the source mac address that way.
Once you've got the source mac address you do a 'sh mac-address-table address [whatever]' to find the switch port the traffic came from