Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2323
Views
0
Helpful
6
Replies

sh ip nat translations

Peter Valdes
Level 3
Level 3

‎06-14-2007 06:57 PM - edited ‎03-05-2019 04:44 PM

Hi,

When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does not belong to out local network. See attached.

192.168.1.0/24 does not belong to any of our user, static route (we don't use dynamic protocol) nor this is a configure interface on the router.

Is there a way I can trace which VLAN this IP is coming from because before this network 192.168.1.0/24 was flooding out NAT pool and I had to deny ip 192.168.1.0 0.0.0.255 any any

Labels:
Preview file
2 KB
0 Helpful
6 Replies 6

spremkumar
Level 9
Level 9

‎06-14-2007 07:59 PM

Hi

The best way and also as you desire in dealing with this would be tweaking the access-list attached to the NAT statement..

Do deny the ip block which is not required to access the pool and permit the remaining blocks..

regds

0 Helpful

anandramapathy
Level 3
Level 3
In response to spremkumar

‎06-14-2007 08:05 PM

Try putting a sniffer onto the Router inside VLAN & do a capture. You will ge more info

What have you defined for your Inside pool ?

Is it 0.0.0.0 ?

I suggest that you define only your internal networks. By this the router will NAT only the required IPs from your LAN.

0 Helpful

Peter Valdes
Level 3
Level 3
In response to anandramapathy

‎06-14-2007 10:01 PM

Thanks for the replies.

The NAL pool is now secure with only specific network addresses permitted to use the NAT.

Apart from 192.168.1.0/24 we use the rest of the network.

remark PERMIT IP ACCESS FOR CLIENT NETWORK

deny ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.0.0 0.0.255.255 any

Although, I would still like to know where is network is coming from and how this unknown user got to use out Internet without have any connected interface to that specific /24 block.

0 Helpful

anandramapathy
Level 3
Level 3
In response to Peter Valdes

‎06-14-2007 10:17 PM

if there is a single subnet in your office, try assigning a static IP from that pool & then try to ping that machine with the command

ping -a 192.168.1.X

it should resolve tho hostname if it is a windows machine

If there are multiple VLANs try putting ethereal randomly in the VLANs & see where the packet for 192.168.1.x is coming from

HTH please rate all useful posts

0 Helpful

Peter Valdes
Level 3
Level 3
In response to anandramapathy

‎06-17-2007 09:12 PM

Hi,

The network 192.168.1.x/24 does not exist in our local network but is still showing up as inside local.

--- 203.215.141.251 192.168.1.11 --- ---

tcp 203.215.141.253:139 192.168.1.111:139 222.92.124.22:6000 222.92.124.22:6000

--- 203.215.141.253 192.168.1.111 --- ---

--- 203.215.141.250 192.168.1.118 --- ---

--- 203.215.141.252 192.168.1.120 --- ---

tcp 203.215.141.254:139 192.168.1.134:139 222.92.124.22:6000 222.92.124.22:6000

--- 203.215.141.254 192.168.1.134 --- ---

After reading some of the logs, I think but not 100% sure, this is TCP SYN Flooding Attacks. It has the same symptoms describe in the Cisco doco "target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It is also possible for the traffic that returns from the target host to cause trouble on routers"

Any ideas?

Thanks

0 Helpful

Timor_SSS
Level 1
Level 1
In response to Peter Valdes

‎06-18-2007 01:18 AM

This is an obvious configuration issue.

Please post the running-config. If you're concerned about security, change your WAN IPs.

Regards

Tim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card