Re: Invalid IP address

["Kerry Thompson" <kerry () crypt gen nz>]

You seem to be correct, someone on 68.84.8.41 is trying to access various
other sites. One thing that is confusing in the log entries is the port
number (0) which is being reported. Cisco access lists log the entry as
port 0 when you don't explicitly specify the port number in the access
list, so an ACL like :

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

will create logs with port 0 as the port, however ACLs like :

access-list 100 deny tcp 10.0.0.0 0.255.255.255 any range 0 65535 log
access-list 100 deny udp 10.0.0.0 0.255.255.255 any range 0 65535 log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

will log the port numbers and produce a more understandable output - ie.
you will be able to see which port and know which service the device is
attempting to connecting to.


Kerry

Steven Lee said:
> I am seeing this on my router syslog after I applied an access list on
> the  internal interface. Can anyone tell me what this could be? The
> 68.84.8.41  is a comcast IP that is active on the network; however,
> someone inside our  network is attempting to use it to go out to other
> sites? Thanks for your  help.
>
> l7.Info       X.X.X.X 38644: .Oct 21 13:40:27: %SEC-6-IPACCESSLOGP: list 101
> denied tcp 68.84.8.41(0) -> 67.34.160.17(0), 1 packet
> 2002-10-21 13:35:37   Local7.Info     X.X.X.X 38645: .Oct 21 13:40:28: %
> SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 217.121.116.154
> (0), 1 packet
[snip]

-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry () crypt gen nz




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com