Odd PIX / router behavior

["Melson, Paul" <PMelson () sequoianet com>]

Has anyone seen anything like this before?

pix# ping inside 127.0.0.1
        127.0.0.1 NO response received -- 1000ms
        127.0.0.1 NO response received -- 1000ms
        127.0.0.1 NO response received -- 1000ms

The above is what I expect to get when I ping 127.0.0.1 from a PIX.

pix# ping outside 127.0.0.1
        127.0.0.1 response received -- 20ms
        127.0.0.1 response received -- 10ms
        127.0.0.1 response received -- 10ms

The above is *NOT* what I expected to get when pinging 127.0.0.1 from a PIX.  

In this case, the PIX is a 506 running 6.1(4) and its outside interface is connected to a Cisco 1605 (IOS version 
unknown) via cross-over cable.  Despite the responses, 127.0.0.1 never appears in the PIX's ARP table.  I was thinking 
the router may misconfigured:

# ping Y.Y.Y.Y                                                    
        Y.Y.Y.Y response received -- 0ms
        Y.Y.Y.Y response received -- 0ms
        Y.Y.Y.Y response received -- 0ms

That seems to rule out the router, since the response times are so different, and put the source of this traffic at 
least another hop or so away.  At this point, I am at a loss for how or why this is happening.  My next move will 
probably be to configure the 1605 with access-lists to drop reserved and special address ranges, but I'd really like to 
get to the bottom of this before I shut the door on it.

This investigation started when a customer began seeing spoofing messages in their firewall logs:

106016: Deny IP spoof from (127.0.0.1) to X.X.X.X on interface outside

My initial reaction was that the inside host that is statically NAT-ed to X.X.X.X was infected with MS-Blaster 
(http://www.securityfocus.com/archive/75/335132/2003-08-21/2003-08-27/0), but that's been ruled out.

Thanks,
PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards