Security Basics mailing list archives
RE: Strange response from PIX
From: "jpippin" <jpippin () gmail com>
Date: Thu, 7 Jul 2005 00:32:14 -0400
Vinny- I thought the IP he's seeing was the first hop gateway for the cable modem, not the CMTS at the local office. Does the CMTS act as the direct upstream link (i.e., the gateway)? You sound as if you know for sure, so is my first statement incorrect? -Joel -----Original Message----- From: Vinny Lape [mailto:vinny () cardiactelecom com] Sent: Monday, July 04, 2005 5:46 PM To: security-basics () securityfocus com Subject: RE: Strange response from PIX Read the response I sent you last week. The traffic you see is the CMTS talking to your cable modem. That is why it is showing as 10.X on the outside interface. -----Original Message----- From: dissolved [mailto:dissolved () comcast net] Sent: Thursday, June 30, 2005 5:36 PM To: 'Vinny Lape' Cc: security-basics () securityfocus com Subject: RE: Strange response from PIX Hi , Yes, my internal IP scheme is 192.168.x.x/24 This response was coming from the external interface of the PIX. I have no dual nic'd servers, one of the servers has a trunk card in it, but all of it's IPs are in the 192.168.1.0/24 network. I'm viewing the running config of the pix right now, and no where do I see a 10. address.... Thanks -----Original Message----- From: Vinny Lape [mailto:vinny () cardiactelecom com] Sent: Thursday, June 30, 2005 4:42 PM To: 'dissolved' Subject: RE: Strange response from PIX What is your internal IP scheme 192.168.x.X? Do you have anyone tinkering with IP addys inhouse? What eth is this 10.X coming from? If from inside do you have any servers with dual nic's? Anyhow with a bit more info I may be able to help -----Original Message----- From: dissolved [mailto:dissolved () comcast net] Sent: Wednesday, June 29, 2005 8:48 PM To: security-basics () securityfocus com Subject: Strange response from PIX Hi all,
From the DMZ (1.0), I ran an nmap scan (-sA switch) towards the subnet my
PIX protects (192.168.2.0 /24). I ran a sniffer while doing this, and noticed the PIX responded with an ip of 10.89.112.1 I dont have a class A scheme. Why is this 10.88.112.1 address showing up from the PIX? 05:10:05.232940 IP (tos 0x0, ttl 254, id 39360, offset 0, flags [none], proto: ICMP (1), length: 56) 10.89.112.1 > 192.168.1.5: ICMP host 192.168.2.1 unreachable - admin prohibited filter, length 36 thanks
Current thread:
- RE: Strange response from PIX dissolved (Jul 04)
- RE: Strange response from PIX Vinny Lape (Jul 05)
- RE: Strange response from PIX jpippin (Jul 11)
- <Possible follow-ups>
- RE: Strange response from PIX Andrew Shore (Jul 04)
- RE: Strange response from PIX Fields, James (Jul 05)
- RE: Strange response from PIX Vinny Lape (Jul 05)