PIX logs: deny inside source with IP of outside host??

[DaneM]

I'm getting some strange firewall logs from my PIX 515. The inside network consists of only 10.0.0.0/8 IP space, yet I get thousands of these logs on my firewall.

%PIX-3-305005: No translation group found for udp src inside:172.174.20.254 (ACAE14FE.ipt.aol.com) /137 dst outside:216.239.33.100 (

http://www.google.com)

/137

The outside destinations for all the logs are mainly *.yahoo.com, *.eonline.com and

http://www.google.com

for what it's worth. I know that udp 137 is mostly ignorable, but the inside source IP makes me wonder what's going on.

My guess is that I have a user connecting to our network using VPN (on a Win2k box) with the "Use default gateway on remote network" selection checked in TCP/IP properties, and also using AOL over TCP/IP, which is masking a proxy server as its source and being routed through the VPN tunnel to our inside network, then out to the 'net. Does this make any sense?

ping
Pinging ACAE14FE.ipt.aol.com [172.174.20.254] with 32 bytes of data:
Reply from 68.46.160.118: bytes=32 time=92ms TTL=112

traceroute - last two hops
13 83 ms 82 ms 82 ms ipt-md09.proxy.aol.com [64.12.104.228]
14 92 ms 92 ms 96 ms pcp01767690pcs.audubn01.nj.comcast.net [68.46.160.118]

 

[yizhar]

HI.

Yes, it makes sense.

You can consider switching to Cisco VPN which can be more secure (at least comparing to PPTP) and also has the split-tunnel option.

You can also tell the VPN users to remove the "use default gateway" option on their VPN connection properties.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar