RE: Strange response from PIX

["Fields, James" <James.Fields () bcbsfl com>]

First thing I would do is try to capture the actual packet.  Look at the
ethernet header and determine if the packet is showing up with the PIX
mac address as the source.  If not, you may not have routed this packet
where you think it went. 

If the packet did come "from" the PIX based on its mac address, and if
you are correct that the IP address showing up as the source is not the
PIX interface address, there are two places left where that address
could come from:
1.  The PIX may have that address programmed as a static NAT for
something - perhaps for a router inside the network (not as likely as
the next scenario though).
2.  The address may be the actual address of a router interface inside
your network.  Note that it is quite common for network administrators
to use small "point-to-point" networks schemes (usually a tiny 30-bit
masked network) for the segments interconnecting routers on the network
which bear NO relation to the subnets where the hosts live.  In fact,
the address 10.88.112.1 looks like a good candidate for this explanation
simply by virtue of it being a ".1" address.  With no more information
to go on than this, if I HAD to make a bet I would go with this as the
explanation.

Also please note that it is highly unlikely for the PIX to have
generated that message.

-----Original Message-----
From: dissolved [mailto:dissolved () comcast net] 
Sent: Wednesday, June 29, 2005 8:48 PM
To: security-basics () securityfocus com
Subject: Strange response from PIX

Hi all,

From the DMZ (1.0), I ran an nmap scan (-sA switch) towards the subnet
my PIX protects (192.168.2.0 /24).  I ran a sniffer while doing this,
and
noticed the PIX responded with an ip of 10.89.112.1     I dont have a
class
A scheme.  Why is this 10.88.112.1 address showing up from the PIX?


05:10:05.232940 IP (tos 0x0, ttl 254, id 39360, offset 0, flags [none],
proto: ICMP (1), length: 56) 10.89.112.1 > 192.168.1.5: ICMP host
192.168.2.1 unreachable - admin prohibited filter, length 36

thanks





Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or 
omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue 
Shield of Florida, Inc.  The information contained in this document may be confidential and intended solely for the use 
of the individual or entity to whom it is addressed.  This document may contain material that is privileged or 
protected from disclosure under applicable law.  If you are not the intended recipient or the individual responsible 
for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of 
this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK 
YOU.