Security Basics mailing list archives
RE: Strange response from PIX
From: "Fields, James" <James.Fields () bcbsfl com>
Date: Tue, 5 Jul 2005 11:12:42 -0400
First thing I would do is try to capture the actual packet. Look at the ethernet header and determine if the packet is showing up with the PIX mac address as the source. If not, you may not have routed this packet where you think it went. If the packet did come "from" the PIX based on its mac address, and if you are correct that the IP address showing up as the source is not the PIX interface address, there are two places left where that address could come from: 1. The PIX may have that address programmed as a static NAT for something - perhaps for a router inside the network (not as likely as the next scenario though). 2. The address may be the actual address of a router interface inside your network. Note that it is quite common for network administrators to use small "point-to-point" networks schemes (usually a tiny 30-bit masked network) for the segments interconnecting routers on the network which bear NO relation to the subnets where the hosts live. In fact, the address 10.88.112.1 looks like a good candidate for this explanation simply by virtue of it being a ".1" address. With no more information to go on than this, if I HAD to make a bet I would go with this as the explanation. Also please note that it is highly unlikely for the PIX to have generated that message. -----Original Message----- From: dissolved [mailto:dissolved () comcast net] Sent: Wednesday, June 29, 2005 8:48 PM To: security-basics () securityfocus com Subject: Strange response from PIX Hi all, From the DMZ (1.0), I ran an nmap scan (-sA switch) towards the subnet my PIX protects (192.168.2.0 /24). I ran a sniffer while doing this, and noticed the PIX responded with an ip of 10.89.112.1 I dont have a class A scheme. Why is this 10.88.112.1 address showing up from the PIX? 05:10:05.232940 IP (tos 0x0, ttl 254, id 39360, offset 0, flags [none], proto: ICMP (1), length: 56) 10.89.112.1 > 192.168.1.5: ICMP host 192.168.2.1 unreachable - admin prohibited filter, length 36 thanks Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.
Current thread:
- RE: Strange response from PIX dissolved (Jul 04)
- RE: Strange response from PIX Vinny Lape (Jul 05)
- RE: Strange response from PIX jpippin (Jul 11)
- <Possible follow-ups>
- RE: Strange response from PIX Andrew Shore (Jul 04)
- RE: Strange response from PIX Fields, James (Jul 05)
- RE: Strange response from PIX Vinny Lape (Jul 05)