PIX log - need help tracking down a device on the network

Hi all, I was wondering if any PIX experts could help me out with this. I have been seeing multiple entries of this for about a week now:

Mar 29 09:58:17 [142.158.13.1.4.2] Mar 29 2005 09:58:17: %FWSM-3-305005: No translation group found for udp src inside:200.0.0.1/137 dst outside:169.254.0.52/137

Mar 29 09:58:30 [142.158.13.1.4.2] Mar 29 2005 09:58:30: %FWSM-3-305005: No translation group found for udp src inside:200.0.0.75/137 dst outside:169.254.0.52/137

The inside source address should be in the 142.158.x.x address range so does this mean there is a computer on the local network spoofing an IP? Also, I don't understand why the 169.254.0.52 address would be showing up as an outside destination address.

Any help would be greatly appreciated.

Hi LooseCanon,

Running your error message through the Cisco "Output Interperter" gave me following result:

" ERROR MESSAGE NOTIFICATIONS (if any)

%FWSM-3-305005 (x1): No translation group found for protocol.

Explanation: This message indicates that a nat and global command cannot be found for a protocol. The protocol can be TCP, UDP, or ICMP.

Recommended Action: This message can be either an internal error or an error in the configuration."

To enlarge on the answer that message usually indicates you have NAT on but aren't translating that source address *or* that destination address.


If the src address is not on your network it's probably someone routing onto your LAN from a home modem or such internal issue. If the destination address is an address you aren't translating, (because you use it internally somewhere), maybe a router went down and the traffic was incorrectly hitting the PIX...

Hope this is of any usage

Greetings,

Stefan

Hi


Explanation => A packet does not match any of the outbound nat rules.

Recommended Action => This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the access-list bound to the nat 0 access-list.


Hope this helps incase u have any more doubts lemme know....


Sidd

Thanks for the replies guys. Unfortunately I don't have access to the PIX configuration so I can't look at the access lists. The company I work for (as a co-op student) has thousands of devices, all of which use the 142.158.x.x class B address range. I believe the config is set to only allow legitimate 142.158 source addresses outside the network and that it why the 200.0.0.1 address is being blocked. Static NAT is used but there isn't any literal translations as the address remains the same on the inside and outside.

My main question, though, is what is this device is trying to do? First of all, I suspect that it must be spoofing the IP of 200.0.0.1 or 200.0.0.75 as it is showing up on the inside interface. Secondly, the IP 169.254.x.x is a non-routable IP address, so I am confused as to why a computer, whether it is infected with a virus or not, would spoof an address (therefore it wouldn't be able to establish an end-to-end connection as far as I know) and then would only send unicast traffic to 169.254.0.52, which is not a real IP address.

Also, I presume the only way I would be able to track this computer down is to capture the packets before they hit the firewall so I could see the source MAC in the frame header. Then I would have to go through each switch to find it.

Regardless the person in charge of network security has just blocked all outgoing traffic to the 169.254 address range for now.

HI,

R u using the ip address 169.254.0.52 anywhere in your network?

If 142.158.x.x is the inside ip address and as u stated that u r using the static nats for the ip address .. R there any dynamic nats configuerd for any subnet ????

Also probe into the possiblity for the ip address 200.0.0.75 and if u have any VPN connected remote site that u connect to and this range or ip address is allowed in the nat 0 statement or in the access rule defined with it.

sidd

169.254.x.x is the address range Microsoft uses when a PC is unable to obtain an IP address from DHCP.