Re: How to trace Private IP addresses

maria.melendez · ‎06-20-2012

I started to see ACL denied logs from private IP addresses (192.168.30.x, 192.168.20.x) that are not configured for this network. How I can find where these devices are connected to the network ?

I'll appreciate any ideas. Thanks!

John Blakley · ‎06-20-2012

Can you tell us a little about what happened? Do you route for these networks or were they seen on the outside interface of your router? Do you have a vpn tunnel established with anyone?

HTH, John *** Please rate all useful posts ***

maria.melendez · ‎06-20-2012

A week ago when I was reviewing the logs in the router, I started to see denied logs from private IPs that I don't know. The IPs (192.168.30.x and 192.168.20.x) are trying to get access to another private vlan (192.168.15.x) established for netbackup and that's configured in the router.

I don't have vpn tunnel.

John Blakley · ‎06-20-2012

It's going to be difficult to tell you other than if you don't know where they came from, as in you have no idea where this private subnet resides, then it's possibly someone trying to spoof an address as a private side address.

HTH, John *** Please rate all useful posts ***

maria.melendez · ‎06-20-2012

okay, thanks!

If you think about something else that could help me to avoid this traffic, I'll appreciate it.

hobbe · ‎06-20-2012

Hi

You state that you find this in the logs.

What does the logfile tell you ?

where is the acl setup ? (what interface)

Some ISP´s use "1918" addresses as transit networks.

so it could be a leakage from your isp.

if so then just block them in your router/firewall.

Good luck

HTH

maria.melendez · ‎06-21-2012

I have a vlan for the netbackup (192.168.15.x) with a standard ACL 15 to allow only access to specific machines. I'm seeing the denied logs for 192.168.30.x, 192.168.20.x IPs in reference to that ACL 15.

We have an ISP but the IPs are in the 10.10.x.x. range and the ISP is not connected to our network.

Yes, I'm blocking the traffic at the router.

Thanks!!

willymaldonado1 · ‎06-21-2012

Hi Maria, are those connections are UDP or TCP... if their are UDP it might be servers at your ISP side.... you might want to check with your ISP.

Best regards,

Willy

maria.melendez · ‎06-21-2012

The traffic should be TCP but I'll double check on that.

Thanks!

hobbe · ‎06-21-2012

Hi

Well

if you have hits on the ACL on an interface the traffic is generated somewhere in that direction.

So in this case the mystery traffic is generated somewhere at the same side as the netbackup.

So what I would do is to sniff the traffic so that you can find out the MAC address of the packets.

When you know the mac address you can go and check out the switches to findout what interface the traffic is generated from.

When you know what interface, you know where to find the unit that generates/forwards the traffic.

Good luck

HTH

maria.melendez · ‎06-21-2012

Thanks Hobbe!

Yes, there's something wrong with the netbackup vlan. I'll check the traffic tomorrow, thanks!!

lrian · ‎06-23-2012

if you're lucky & the router supports the 'log-input' keyword on acls just change the "log" keyword on the acl to "log-input" and the router will include the source mac address in the syslog msg

for example, if you've got

access-list 15 permit tcp 192.168.1.0 0.0.0.255 any

access-list 15 deny ip any any log

change the last line to

access-list 15 deny ip any any log-input

and you'll get something like

%SEC-6-IPACCESSLOGP: list 15 denied tcp 192.168.30.10(6000) (G1 0009.1532.8029) -> 192.168.15.15(1024)

If the router doesn't support the 'log-input' keyword you're going to have to capture the offending traffic somehow and get the source mac address that way.

Once you've got the source mac address you do a 'sh mac-address-table address [whatever]' to find the switch port the traffic came from

Regards,

Lee