IRC Logs

Network: freenode Channel: #cisco

	Enter your search terms Submit search form
	Web www.irclog.org

[03:48]<fyvrrn>Loceur: why might the packet hop to the inside interface first?
[03:49]<ljanuz>policy routing, misconfiguration
[03:50]<sgrcn-ndns>the one acl has been changed hold on a sec
[03:59]<sgrcn-ndns>Loceur, sry for taking so long had to edit some stuff,
[03:59]<sgrcn-ndns>http://www.rafb.net/paste/results/oFl5lQ32.html
[04:04]<sgrcn-ndns>Loceur, src of the packet was from vlan 4
[04:04]<ljanuz>understood
[04:10]<sgrcn-ndns>Loceur, so whats the bad news doc ? :P
[04:12]<jjgrvxrg_>how can one direct outside traffic on a sertain port to a hardware address?
[04:23]<jjgrvxrg_>anyone?
[04:24]<ljanuz>sorry phone
[04:24]<sgrcn-ndns>Loceur, np
[04:28]<jjgrvxrg_>can i direct all outside traffic on port 3389 to a hardware address?
[04:30]<gndyvx>hardware address?
[04:30]<gndyvx>like a mac address?
[04:30]<sgnzcm_bzsvzzm>huh?
[04:31]<sgnzcm_bzsvzzm>"hardware address" ?
[04:31]<sgnzcm_bzsvzzm>what do you mean? a LAN only IP ?
[04:31]<ljanuz>snake: can you post the exact error?
[04:31]<gndyvx>we call them RFC1918 here
[04:31]<jjgrvxrg_>mac address, because ip address changes as it's dhcp
[04:32]<gndyvx>no you can't
[04:32]<jjgrvxrg_>it can only be done by ip address then?
[04:33]<gndyvx>yes
[04:33]<gndyvx>you can do a static DHCP address via mac address
[04:34]<jjgrvxrg_>ahh, ok
[04:34]<jjgrvxrg_>how can i do it by ip address?
[04:35]<sgrcn-ndns>Loceur, http://www.rafb.net/paste/results/0pBHLa86.html
[04:37]<cfrur>nemith: your back, still no luck on this cisco 806 with port fowarding....are you able to private me?
[04:40]<ljanuz>Snake-Eyes: did you see that packet come in on vlan 4 through your acl 154 log?
[04:41]<ljanuz>Snake-Eyes: looks like a spoofed packet
[04:42]<ljanuz>that packet came in on one of your ip nat inside interfaces
[04:43]<sgrcn-ndns>yea
[04:44]<sgrcn-ndns>so you're saying its a spoof and it didnt come from vlan4 but from outside eg dialer 0 ?
[04:45]<cfrur>how do i apply an ACL to an Interface?
[04:47]<azdl->clsk: access-group
[04:47]<sgrcn-ndns>Claug, go to that interface, then go 'ip access-group xxx in' xxx being the ACL
[04:47]<ljanuz>Snake-Eyes: it came from an interface that had "ip nat inside"
[04:47]<ljanuz>I bet
[04:48]<sgrcn-ndns>Loceur, err noow you're scaring me
[04:48]<ljanuz>you would have seen it if it had come in on vlan4 with your 154 and 155 acls
[04:48]<ljanuz>and the destination was an Asia Pacific IP
[04:49]<sgrcn-ndns>yea china
[04:49]<ljanuz>they're quite the pain
[04:49]<ljanuz>not people from that region, just people using those IPs
[04:49]<ljanuz>people from this region are quite the pain
[04:50]<sgrcn-ndns>hehe
[04:50]<ljanuz>anyhoo Snake-Eyes, that is a bit of a thinker problem. The other theory is that cisco isn't perfect
[04:50]<ljanuz>*shock*
[04:50]<sgrcn-ndns>hmm, so some how a machine 'inside' got a packet and then replied with spoof packet ...
[04:51]<ljanuz>no, it just spoofed a packet to begin with
[04:51]<sgrcn-ndns>Loceur, yea, ive been talking to cisco, and the guy keeps rehashing how nat works......
[04:51]<ljanuz>someone on inside just tried out sending from vlan4 router ip to his test machine in china
[04:52]<sgrcn-ndns>Loceur, i dont think so, wont many user on then, and thats the ip address that was port/ip scanning us
[04:52]<ljanuz>are you on an ED ios?
[04:52]<ljanuz>they're more error prone
[04:52]<sgrcn-ndns>ED ?
[04:52]<ljanuz>and don't get me started on PIX 7.0
[04:52]<ljanuz>early development
[04:53]<ljanuz>or something else if you want TV commercials :/
[04:53]<sgrcn-ndns>hehe
[04:55]<sgrcn-ndns>Loceur, im thinking either routing stuff up, complete spoofed packet from outside, or a machine inside is comporised/bug
[04:56]<ljanuz>couldn't have been from outside, it would have hit an acl, but not a nat list
[04:56]<sgrcn-ndns>not good
[04:57]<ljanuz>just make sure you block spoofed ips on your inside interfaces and log any
[04:57]<ljanuz>it happens
[04:57]<ljanuz>as does ios bugs
[04:58]<ljanuz>which I'd tend towards, as you seem to filter pretty well on your interfaces
[04:58]<ljanuz>though I haven't checked thoroughly to see if someone could spoof a packet and make it to your outside iface
[04:58]<sgrcn-ndns>thanks, im still concerned that some machine is sending spoofed packets
[04:59]<sgrcn-ndns>the user base is small in the office
[04:59]<ljanuz>dang users! line them up, make shoot them till one confesses!
[05:00]<ljanuz>s/make/and
[05:00]<ljanuz>just log spoofed packets at your internal ifaces
[05:01]<sgrcn-ndns>wouldnt the deny log catch those or do i need a different kind of rule
[05:01]<ljanuz>you can also search bug toolkit
[05:01]<ljanuz>http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl
[05:03]<ljanuz>I usually make a permit from internal ip range to any, then deny any any log
[05:03]<sgrcn-ndns>ah
[05:05]<sgrcn-ndns>i remmeber some default rule cisco used put in with from 0.0.0.0 to something
[05:09]<sgrcn-ndns>ill tighten up the acls for that, thanks for the help Loceur
[05:18]<ljanuz>np!
[05:21]<ugsggg>hi everyone!
[05:21]<bsdrgdjg>Which do you guys prefer, lightweight APs w/ controllers and WCS, or autonomous APs w/ a WLSE?
[05:23]<bsdrgdjg>Right now we're using autonomous APs w/ nothing.
[05:23]<bsdrgdjg>1100 series, which are becoming EOL soon iirc.
[05:23]<gndyvx>BSDaemon: controllers all the way
[05:23]<gndyvx>1100's aren't going anywhere
[05:23]<bsdrgdjg>So you'd go lightweight w/ controllers?
[05:23]<gndyvx>yes
[05:23]<bsdrgdjg>but 1100s arent lightweight
[05:24]<gndyvx>they have lightweight code
[05:24]<bsdrgdjg>Not according to cisco
[05:25]<bsdrgdjg>"The device is available in an autonomous version only and does not support lightweight operation"
[05:25]<bsdrgdjg>ive had this shit drilled into my skull for the past 3 days :P
[05:26]<gndyvx>dude
[05:26]<bsdrgdjg>I'd like to move to 1130AGs w/ lightweight featureset
[05:26]<gndyvx>get a fucking refund
[05:26]<bsdrgdjg>LOL
[05:27]<gndyvx>1130 is a 1100

Back to #cisco
Or go to some related logs:
#azureus
#netbsd
#gentoo
#debian
#gentoo