Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Constant 10-12 connections on NEW PIX config???

Status
Not open for further replies.
pacman662860

pacman662860

IS-IT--Management
Sep 10, 2003
2
US
Could somebody shed some light on this for me. I just got our PIX configured and running and I built a static NAT for an inside host (172.25.25.200) which is NAT'd to 66.172.157.200 and the log is showing a constant flow of thes connection attemtps (SYN). I tried to have them dropped by adding an access-list entry (access-list 100 deny ip any 118.0.0.0 255.0.0.0) but am still seeing the log flood with countless attemts at sequentialling increasing ports. I assume this a a SYN DOS or flood, no? Can anyone give me some advice on how to stop please?

302014: Teardown TCP connection 1912035 for outside:118.81.139.105/135 to inside
:172.25.25.200/4337 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 1912036 for outside:118.81.139.106/135 to inside
:172.25.25.200/4338 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 1912037 for outside:118.81.139.107/135 to inside
:172.25.25.200/4339 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 1912038 for outside:118.81.139.108/135 to inside
:172.25.25.200/4340 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 1912039 for outside:118.81.139.109/135 to inside
:172.25.25.200/4341 duration 0:02:01 bytes 0 SYN Timeout

302013: Built outbound TCP connection 1913394 for outside:118.81.144.185/135 (11
8.81.144.185/135) to inside:172.25.25.200/1750 (66.172.157.200/1750)
302013: Built outbound TCP connection 1913395 for outside:118.81.144.186/135 (11
8.81.144.186/135) to inside:172.25.25.200/1751 (66.172.157.200/1751)
302013: Built outbound TCP connection 1913396 for outside:118.81.144.187/135 (11
8.81.144.187/135) to inside:172.25.25.200/1752 (66.172.157.200/1752)
 
Sort by date Sort by votes
Well, viruses in circulation right now use 135 to spread, so it could be a virus. It looks like it is your host starting the session ie. "Built outbound TCP connection"

I would take a look at that host 172.25.25.200, see if a virus has gotten in.

Jan
 
Upvote 0 Downvote
Thanks Jan, that is in fact is what is was. I had the mblast.exe virus running on the host machine I was testing with. LOL. netstat -n showed me the SYN_SENT's from the host that were queued up! Thanks for the tip!

Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
781
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
648
Johnkite
Johnkite
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
191
PauS0n
PauS0n
tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
180
tjbradford
tjbradford
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
194
mcisar
mcisar

Part and Inventory Search

Sponsor

Back
Top