www.unix.org.ua

[brianmbi1]

Code: Select all

NAT_Router#sh logging
Syslog  logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
     Console logging: level debugging, 279 messages logged
    Monitor  logging: level debugging, 0 messages logged
    Buffer logging:  disabled
    Trap logging: level debugging, 283 message lines logged
         Logging to 192.168.3.15, 164 message lines logged
NAT_Router#sh  logging history
Syslog History Table:1 maximum table entries,
saving  level warnings or higher
1675 messages ignored, 0 dropped, 0  recursion drops
11402 table entries flushed
SNMP notifications  not enabled
   entry number 11403 : IP-4-DUPADDR
    Duplicate  address 192.168.3.15 on Ethernet0/0, sourced by 'mac-address'
     timestamp: 57763917

I'm not sure how a duplicate address occured here. The router is configured as a dhcp server and 192.168.3.15 is an excluded-address because it serves as one of my servers on my local LAN. The MAC-ADDRESS is the hardware address of my syslog's NIC. If this is an attack from the Internet, please tell me what ACL I need to implement on my outside interface. Here is the ACLs that I currently have configured for both 'out' and 'in' on E0/1 which is my outside interface:

Code: Select all

interface Ethernet0/1
description External Ethernet  Interface to Internet
mac-address 0017.3f7f.ad35
ip address dhcp
ip access-group 113 in
ip access-group 101 out
no ip redirects
ip nat outside
no ip mroute-cache
no cdp enable



access-list 1  permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.3.0  0.0.0.255
access-list 101 remark Deny Illegitimate Traffic go  outbound
access-list 101 deny   tcp any any eq 135 log-input
access-list  101 deny   tcp any eq 135 any log-input
access-list 101 deny   udp  any any eq 135 log-input
access-list 101 deny   udp any eq 135 any  log-input
access-list 101 deny   tcp any any range 137 139 log-input
access-list  101 deny   tcp any range 137 139 any log-input
access-list 101  deny   udp any any range netbios-ns netbios-ss log-input
access-list  101 deny   udp any range netbios-ns netbios-ss any log-input
access-list  101 deny   tcp any any eq 445 log-input
access-list 101 deny   tcp  any eq 445 any log-input
access-list 101 deny   udp any any eq 445  log-input
access-list 101 deny   udp any eq 445 any log-input
access-list  101 deny   tcp any any eq 593 log-input
access-list 101 deny   tcp  any eq 593 any log-input
access-list 101 deny   tcp any any eq 707  log-input
access-list 101 deny   tcp any eq 707 any log-input
access-list  101 deny   tcp any any eq 4444 log-input
access-list 101 deny   tcp  any eq 4444 any log-input
access-list 101 deny   ip host 0.0.0.0 any  log-input
access-list 101 deny   ip host 255.255.255.255 any  log-input
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any  log-input
access-list 101 deny   ip any 10.0.0.0 0.255.255.255  log-input
access-list 101 deny   ip any 172.16.0.0 0.15.255.255  log-input
access-list 101 permit ip 24.49.64.0 0.0.31.255 any
access-list  101 deny   ip any any log-input
access-list 113 deny   udp any any  eq snmp log-input
access-list 113 permit ip any any log-input
access-list  113 deny   tcp any host 'my ip address' eq echo log-input
access-list  113 deny   tcp any host 'my ip address' eq discard log-input
access-list  113 deny   tcp any host 'my ip address' eq daytime log-input
access-list  113 deny   tcp any host 'my ip address' eq chargen log-input
access-list  113 deny   tcp any host 'my ip address' eq finger log-input
access-list  113 deny   ip 192.168.0.0 0.0.0.255 any log-input
access-list 113  deny   ip 172.16.0.0 0.0.255.255 any log-input
access-list 113 deny    ip 10.0.0.0 0.255.255.255 any log-input
access-list 113 deny   ip  host 0.0.0.0 any log-input
access-list 113 deny   ip 224.0.0.0  31.255.255.255 any log-input
access-list 113 deny   icmp any any  redirect log-input
access-list 113 permit tcp any any eq www  log-input
access-list 113 permit tcp any any eq smtp log-input
access-list  113 permit tcp any any eq pop3 log-input
access-list 113 permit tcp  any any eq ftp log-input
access-list 113 permit tcp any any eq  ftp-data log-input
access-list 113 deny   tcp any any eq telnet  log-input
no cdp run

[brianmbi1]

Not too sure if this is being seen by anybody. Could somebody please let me know if they can see this thread?

[Keith Barker]

I would check the device acting as the syslog server, and verify no one tried to change the IP address to the one reserved, as well as make sure the syslog server isn't running any extra applications, that may be trying to access additional IP addresses. It is also possible, that if the syslog server did try to get an IP address via DHCP, and there is another DHCP loose on the network, the 2nd DHCP server may have tried to hand out that IP address again. Usually, a DHCP server will ping the address it is about to hand out, to verify it is not in use.

I wouldn't think that a duplicate IP message, on the inside, is a direct attack on the network, but more likely a DHCP function gone wrong.


Best wishes,
Keith

[brianmbi1]

Thanks Keith!

I found the problem with my PC running 3 NICs. And having TFTP32 running DHCP from a prior network configuration....


So easy fix...