Scenario:
2 Networks: "Corporate" and "Production", both behind SonicWALL TZ 170 Firewalls with a VPN connection between them.
Corporate is in the range 192.168.253.0/24.
There is an Exchange server here with address 192.168.253.26.
Production is in the range 192.168.254.0/24.
This network has a limited number of devices all inside a locked rack in a data-center.
I have Exchange Server configured to accept relaying from 192.168.254.0/24.
A few days ago, we started to get a ton of spam relayed through our Exchange Server. I did a packet trace from the Exchange Servr and found the packets are coming from 192.168.254.253. This is an address within the Production network. There is no device on that network with that address.
The source MAC address of the packets is from the Corporate SonicWALL.
Here is what I have done to narrow down the problem:
1. If I disable the VPN between the two networks, the traffic ceases immediately.
2. If I disconnect the Production SonicWALL from the LAN (so only the WAN port is connected to the Internet) the traffic continues.
3. Performing a packet trace on the Corporate SonicWALL itself indicates that the traffic is coming from it (no new information there).
4. Perfoming a packet trace on the Production SonicWALL indicates no traffic to or from this address.
What is going on here? Has my VPN been hijacked? I have changed the preshared keys and even changed encryption from 3DES to AES-128, but nothing helps.
I blocked the 192.168.254.253 address from the SMTP virtual server, so now all I get are connection attempts (SYN, SYN/ACK, ACK, FIN/ACK, ACK).
Start Free Trial
