I have had multilpe hits on my firewall that apear to be broadcasts but they are not.

Does anyone have any idea on what they may be ??


---------------------------------------------------------

[13/Jan/2004 19:18:35] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:18:35] NAT: + proto:TCP, len:60, ip+port:62.253.162.51:110 -> ***.***.***.***:52089, flags: RST , seq:1070064662 ack:0, win:0, tcplen:0
[13/Jan/2004 19:25:16] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:25:16] NAT: + proto:TCP, len:60, ip+port:207.68.171.234:80 -> ***.***.***.***:52135, flags: FIN ACK , seq:2459590829 ack:265719730, win:17143, tcplen:0
[13/Jan/2004 19:27:38] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:27:38] NAT: + proto:TCP, len:1486, ip+port:212.3.243.131:80 -> ***.***.***.***:52178, flags: ACK , seq:3889359289 ack:299366628, win:7504, tcplen:1432
[13/Jan/2004 19:27:38] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:27:38] NAT: + proto:TCP, len:1486, ip+port:212.3.243.131:80 -> ***.***.***.***:52178, flags: ACK PSH , seq:3889360721 ack:299366628, win:7504, tcplen:1432
[13/Jan/2004 19:27:38] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:27:38] NAT: + proto:TCP, len:1486, ip+port:212.3.243.131:80 -> ***.***.***.***:52178, flags: ACK , seq:3889362153 ack:299366628, win:7504, tcplen:1432
[13/Jan/2004 19:27:38] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:27:38] NAT: + proto:TCP, len:1486, ip+port:212.3.243.131:80 -> ***.***.***.***:52178, flags: ACK PSH , seq:3889363585 ack:299366628, win:7504, tcplen:1432
[13/Jan/2004 19:28:37] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:28:37] NAT: + proto:TCP, len:1486, ip+port:212.3.243.131:80 -> ***.***.***.***:52194, flags: ACK , seq:3960930991 ack:315377461, win:6432, tcplen:1432
[13/Jan/2004 19:28:37] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:28:37] NAT: + proto:TCP, len:172, ip+port:212.3.243.131:80 -> ***.***.***.***:52194, flags: ACK PSH , seq:3960932423 ack:315377461, win:6432, tcplen:118
[13/Jan/2004 19:29:16] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:29:16] NAT: + proto:TCP, len:1486, ip+port:206.65.183.156:80 -> ***.***.***.***:52218, flags: ACK , seq:3990520452 ack:324829690, win:6432, tcplen:1432
[13/Jan/2004 19:29:16] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:29:16] NAT: + proto:TCP, len:1486, ip+port:206.65.183.156:80 -> ***.***.***.***:52218, flags: ACK PSH , seq:3990521884 ack:324829690, win:6432, tcplen:1432
[13/Jan/2004 19:29:16] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:29:16] NAT: + proto:TCP, len:1486, ip+port:206.65.183.156:80 -> ***.***.***.***:52218, flags: ACK , seq:3990523316 ack:324829690, win:6432, tcplen:1432
[13/Jan/2004 19:29:16] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:29:16] NAT: + proto:TCP, len:1486, ip+port:206.65.183.156:80 -> ***.***.***.***:52218, flags: ACK PSH , seq:3990524748 ack:324829690, win:6432, tcplen:1432
[13/Jan/2004 19:36:41] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:36:41] NAT: + proto:TCP, len:1486, ip+port:207.46.244.158:80 -> ***.***.***.***:52247, flags: ACK , seq:151798085 ack:426718231, win:16080, tcplen:1432
[13/Jan/2004 19:36:41] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:36:41] NAT: + proto:TCP, len:1220, ip+port:207.46.244.158:80 -> ***.***.***.***:52247, flags: ACK PSH , seq:151799517 ack:426718231, win:16080, tcplen:1166
[13/Jan/2004 19:38:31] NAT: Detected UDP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:38:31] NAT: + proto:UDP, len:342, ip+port:***.***.***.***:68 -> 255.255.255.255:67, udplen:300
[13/Jan/2004 19:38:35] NAT: Detected UDP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:38:35] NAT: + proto:UDP, len:342, ip+port:***.***.***.***:68 -> 255.255.255.255:67, udplen:300
[13/Jan/2004 19:38:40] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:38:40] NAT: + proto:TCP, len:1486, ip+port:207.46.244.158:80 -> ***.***.***.***:52256, flags: ACK , seq:300521995 ack:457437825, win:6432, tcplen:1432
[13/Jan/2004 19:38:40] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:38:40] NAT: + proto:TCP, len:1220, ip+port:207.46.244.158:80 -> ***.***.***.***:52256, flags: ACK PSH , seq:300523427 ack:457437825, win:6432, tcplen:1166
[13/Jan/2004 19:38:51] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:38:51] NAT: + proto:TCP, len:1486, ip+port:207.46.244.158:80 -> ***.***.***.***:52260, flags: ACK , seq:304907822 ack:458405739, win:16080, tcplen:1432
[13/Jan/2004 19:38:51] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:38:51] NAT: + proto:TCP, len:1220, ip+port:207.46.244.158:80 -> ***.***.***.***:52260, flags: ACK PSH , seq:304909254 ack:458405739, win:16080, tcplen:1166
[13/Jan/2004 19:40:59] NAT: Attempt to establish TCP connection through NAT (in). The following line contains suspicious packet dump:
[13/Jan/2004 19:40:59] NAT: + proto:TCP, len:60, ip+port:64.48.134.31:0 -> ***.***.***.***:35441, flags: SYN , seq:3937 ack:0, win:512, tcplen:0
[13/Jan/2004 19:45:14] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:45:14] NAT: + proto:TCP, len:654, ip+port:207.46.244.158:80 -> ***.***.***.***:52337, flags: ACK PSH , seq:717627874 ack:551898041, win:6432, tcplen:600
[13/Jan/2004 19:45:18] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:45:18] NAT: + proto:TCP, len:1486, ip+port:65.54.249.254:80 -> ***.***.***.***:52338, flags: ACK , seq:721708892 ack:553156183, win:6432, tcplen:1432
[13/Jan/2004 19:45:18] NAT: Detected TCP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:45:18] NAT: + proto:TCP, len:1486, ip+port:65.54.249.254:80 -> ***.***.***.***:52338, flags: ACK , seq:721710324 ack:553156183, win:6432, tcplen:1432
[13/Jan/2004 19:55:51] NAT: Detected UDP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:55:51] NAT: + proto:UDP, len:342, ip+port:***.***.***.***:68 -> 255.255.255.255:67, udplen:300
[13/Jan/2004 19:55:55] NAT: Detected UDP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:55:55] NAT: + proto:UDP, len:342, ip+port:***.***.***.***:68 -> 255.255.255.255:67, udplen:300
[13/Jan/2004 19:59:10] NAT: Detected UDP packet which has no entry in the NAT table. The following line contains suspicious packet dump:
[13/Jan/2004 19:59:10] NAT: + proto:UDP, len:342, ip+port:***.***.***.***:68 -> 255.255.255.255:67, udplen:300
[13/Jan/2004 19:59:13] NAT: Detected UDP packet which has no entry in the NAT table. The following line contains suspicious packet dump:

First one is ntl and the second one is microsoft......third through to eighth is europeaninvestor.com

First one is ntl and the second one is microsoft......third through to eighth is europeaninvestor.com

Cheers m8

I know what all the others are - its the broadcasts in orange that I am concerned about !!

They are DHCP requests.

They are DHCP requests.

I thought that m8 - but the pix does dhcp and udp ports on that range are not permited by the acl. The computer in question is not even on the dmz !!

I thought that m8 - but the pix does dhcp and udp ports on that range are not permited by the acl. The computer in question is not even on the dmz !!

I don't know what IP you have blocked out but they appear to be DCHP discover packets. Basically that IP is sending out a packet saying "are there any DCHP servers out there that can give me an IP address ?" (or they could be response packets ...)

UDP 68 > 67 is client to server (request).
UDP 67 > 68 is server (reply) to client.

Could they not be spoofed dhcp packets to see if there is a machine live ?

Could they not be spoofed dhcp packets to see if there is a machine live ?

I am not realy sure m8 but I know that broadcasts cant transverse the firewall. I took out the pix and put a pc on each side. I then sent broadcasts through it and none came out the other side. :confused:

I know one thing for sure though ......

Somebody is realy convinced that I am a web server. I wonder if I have upset someone in Dunstable that has an NTL cable modem ? :angel:

Cheers m8

I know what all the others are - its the broadcasts in orange that I am concerned about !!
:blush: :dunce:

I am not realy sure m8 but I know that broadcasts cant transverse the firewall.The orange ones are DHCP discovery requests, which are always initially broadcast, until a server replies. It's difficult to advise any further as essential information has been replaced by asterisks.Somebody is realy convinced that I am a web server.It looks like the opposite. These appear to be ACK replies from a web server (port 80) that you are reading from, that the firewall is improperly dropping or logging. Maybe your firewall is too strictly configured, or is timing out NAT mappings too quickly on slow connections.

The orange ones are DHCP discovery requests, which are always initially broadcast, until a server replies. It's difficult to advise any further as essential information has been replaced by asterisks.It looks like the opposite. These appear to be ACK replies from a web server (port 80) that you are reading from, that the firewall is improperly dropping or logging. Maybe your firewall is too strictly configured, or is timing out NAT mappings too quickly on slow connections.

I agree that they are dhcp requests rdhw but they are from the firewall log on the other side of the pix. The pix handles all my dhcp as it directly connected to the cable modem. I am just puzzled as to how they were send through the firewall. A CCIE at work helped me write the acl's and they seem o.k. Its a mystery !!!!

I agree that they are dhcp requests rdhw but they are from the firewall log on the other side of the pix. The pix handles all my dhcp as it directly connected to the cable modem. I am just puzzled as to how they were send through the firewall. A CCIE at work helped me write the acl's and they seem o.k. Its a mystery !!!!

Sorry stu but you have confused me. Lets see if i have your setup correct, you have your CM, which is connected to one port of the pix (firewall ?), you then have your internal network presumably connected to a second port on the pix ?

What port are those logs from and what have you starred out - i.e. are they all the same ip, are they the CM's public ip ore an ip from your internal network.

If you are really interested in an answer can you PM me the log without the ip's being starred out ?

Sorry stu but you have confused me. Lets see if i have your setup correct, you have your CM, which is connected to one port of the pix (firewall ?), you then have your internal network presumably connected to a second port on the pix ?

What port are those logs from and what have you starred out - i.e. are they all the same ip, are they the CM's public ip ore an ip from your internal network.

If you are really interested in an answer can you PM me the log without the ip's being starred out ?

The ip's I have stared out are the internal network Ip addresses on the other side of the pix. I have multiple Ip addresses on the pix routing through to the internal nat box/firewall. I own the block of ip's.. thats why I hid them. The pix handles all dhcp and the log I have posted is from the nat box.

Due to the fact that I have isdn into the pix and the way that the nat box is configured the entries are in reverse. Incoming is outgoing...

I can understand why you are getting confused - I do sometimes :D

Any trafic destined for work is routed by the nat box to a diferent ip on the pix. This is then piped down a vpn. This is done so that all internet trafic is isolated from the vpn connection.

:confused: My head hurts !!!

The ip's I have stared out are the internal network Ip addresses on the other side of the pix. I have multiple Ip addresses on the pix routing through to the internal nat box/firewall. I own the block of ip's.. thats why I hid them. The pix handles all dhcp and the log I have posted is from the nat box.

Due to the fact that I have isdn into the pix and the way that the nat box is configured the entries are in reverse. Incoming is outgoing...

I can understand why you are getting confused - I do sometimes :D

Any trafic destined for work is routed by the nat box to a diferent ip on the pix. This is then piped down a vpn. This is done so that all internet trafic is isolated from the vpn connection.

:confused: My head hurts !!!

I wish I'd never asked now :eek:

The ip's I have stared out are the internal network Ip addresses on the other side of the pix. I have multiple Ip addresses on the pix routing through to the internal nat box/firewall. I own the block of ip's.. thats why I hid them. The pix handles all dhcp and the log I have posted is from the nat box.

Due to the fact that I have isdn into the pix and the way that the nat box is configured the entries are in reverse. Incoming is outgoing...

I can understand why you are getting confused - I do sometimes :D

Any trafic destined for work is routed by the nat box to a diferent ip on the pix. This is then piped down a vpn. This is done so that all internet trafic is isolated from the vpn connection.

:confused: My head hurts !!!

Hold the phone....

I think I have discovered the problem. One of the clients had a dodgey nic. Checking the logs it looks like it was releasing and then renewing the ip. It looks like my router has picket up the broadcasts and proxy'd them out to the nat box ....... Time to check the router config. Copy run start // doh !!!

Hold the phone....

I think I have discovered the problem. One of the clients had a dodgey nic. Checking the logs it looks like it was releasing and then renewing the ip. It looks like my router has picket up the broadcasts and proxy'd them out to the nat box ....... Time to check the router config. Copy run start // doh !!!

Turn off DHCP relaying on the router I would guess.

Turn off DHCP relaying.

:D :D :D :D Fights cisco IOS :ninja:

Just changed the config and did a copy run start instead of copy start run :cry:

I'm off to buy a Abacus !!!!