You can go to a site called www.samspade.org to find out more about a specific address. Sam gives you contact information of who/what ISP is hosting, names, phone numbers etc. I would recommend hitting your own network as hard as you can (after you get written permission from someone in the CIO capacity) and see the reaction that your defenses take, this will shed a lot of light on what's going on.
Also, if you want to go real deep, check out www.sans.org they have a great reading room for security threads. Kevin McCarty CCNA CCNP On Tuesday, March 26, 2002, at 10:49 AM, x wrote: > I manage two PIX 520s and I use syslog. > > I would scan your logs for the two addresses > 61.156.7.187 and 202.96.137.40. You can open them in > wordpad or notepad and do a find for the IP addresses. > How often do they come up? What ports are they > trying to hit? If you see these addresses come up > hundreds of times, I would strongly recommend > investigate further. The two strongest possibilities > are someone is trying to hack you by gathering > information about your network or a application is > having trouble communicating. Either way you need to > figure it out and whatever resolution you come to will > take some of the load off your firewall. > > I also do some background checking on the addresses > themselves. I got nothing from nslookup on the 61 > address. I got this for the 202 address. > > C:\>nslookup 202.96.137.40 > Server: res1.ns.algx.net > Address: 206.205.242.132 > > Name: szptt134.szptt.net.cn.137.96.202.in-addr.arpa > Address: 202.96.137.40 > > Does this mean anything to you? > > The Deny inbound (No xlate) means someone outside is > trying to get to an address inside your network, but > you have no address specfied so it gets rejected. The > outside outside part, I haven't seen before. I would > also look at your routers and see if there is any > indication there. My guess is if it isn't malicious > it could be a problem with routing between your > firewall and router. > > I hope this helps. > > Tom > > > --- Patrick Ramsey > wrote: >> From [EMAIL PROTECTED] Tue Mar 26 15:36:33 2002 >> Date: Tue, 26 Mar 2002 10:07:56 -0500 >> From: "Patrick Ramsey" >> To: [EMAIL PROTECTED] >> Subject: RE: how to deal with this message on pix? >> [7:39497] >> Reply-to: "Patrick Ramsey" >> >> >> That's a normal message on the pix when a packet >> gets denied. It's just >> saying that there was not a translation from an >> internal or dmz device to >> match the packet coming in from the internet. >> >> It doesn't really mean he has a one armed routing >> scenario. Actualy I don't >> even see how that could work based on the logging. >> >> -Patrick >> >>>>> "Wilton White" 03/25/02 11:13PM >>> >> PIX should not see that traffic in the first place. >> PIX only routes >> traffic between interfaces and can't make "u-turns" >> - only routes >> traffic from inside to outside or from outside to >> inside, but not from >> inside to inside or outside to outside. PIX >> considers this a security >> violation. >> I would check outside router and see why is it >> forwarding this traffic >> to the PIX. >> >> -- Lidiya White >> CCIE #8155 >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED]] On Behalf Of >> Roy >> Sent: Monday, March 25, 2002 8:20 PM >> To: [EMAIL PROTECTED] >> Subject: how to deal with this message on pix? >> [7:39497] >> >> >> hi all >> >> i notice the message shown as bellow on my pix, and >> how can i deal with >> it? >> >> 106011: Deny inbound (No xlate) udp src >> outside:61.156.7.187/16372 dst >> outside:202.96.137.40/6970 >> 106011: Deny inbound (No xlate) udp src >> outside:61.156.7.187/16372 dst >> outside:202.96.137.40/6970 >> 106011: Deny inbound (No xlate) udp src >> outside:61.156.7.187/16372 dst >> outside:202.96.137.40/6970 >> 106011: Deny inbound (No xlate) tcp src >> outside:202.109.106.130/8893 dst >> outside:202.96.137.40/59478 >> 106011: Deny inbound (No xlate) udp src >> outside:202.96.136.201/49202 dst >> outside:202.96.137.40/53 >> 106011: Deny inbound (No xlate) tcp src >> outside:162.105.69.121/21 dst >> outside:202.96.137.40/60090 >> >> >> any helps will be appreciated >> >> >> sincerely >> >> Roy >> >> >> ""John Green"" P4HkO{O"PBNE >> :[EMAIL PROTECTED] >>> is any one aware of any issue with PIX501 and >>> connecting via cable modem to get an ip address >> (dhcp) >>> ? >>> >>> internet-----cable-----PIX----HOST >>> modem 501 >>> >>> without the pix, the HOST is able to get the dhcp >> ip >>> address fine. the pix is configured to get an >>> ipaddress from dhcp for its outside interface. but >> it >>> is failing. >>> does anyone know of such issues ? >>> >>> >>> __________________________________________________ >>> Do You Yahoo!? >>> Yahoo! Movies - coverage of the 74th Academy >> Awards. >>> http://movies.yahoo.com/ >>>>>>>>>>>>>>> Confidentiality Disclaimer >> This email and any files transmitted with it may >> contain confidential and >> /or proprietary information in the possession of >> WellStar Health System, >> Inc. ("WellStar") and is intended only for the >> individual or entity to whom >> addressed. This email may contain information that >> is held to be >> privileged, confidential and exempt from disclosure >> under applicable law. If >> the reader of this message is not the intended >> recipient, you are hereby >> notified that any unauthorized access, >> dissemination, distribution or >> copying of any information from this email is >> strictly prohibited, and may >> subject you to criminal and/or civil liability. If >> you have received this >> email in error, please notify the sender by reply >> email and then delete this >> email and its attachments from your computer. Thank >> you. >> >> > ================================================================ > [EMAIL PROTECTED] > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Movies - coverage of the 74th Academy Awards. > http://movies.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39580&t=39497 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
