• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 591
  • Last Modified:

Netscreen 25 Firewall displays wrong IP addresses

I have a Netscreen 25 firewall.

Today I saw a bunch of outgoing traffic on an IP address that I did not have listed as part of our ip block of computers, although it was a valid IP.

Our static IP range is xxx.xxx.xxx.1 to xxx.xxx.xxx.254 and it was IP .7

So, I blocked all outgoing traffic on .7 using our firewall.  

Later I got a compliant from a user they could not access the internet.  IP .86 was the IP on their computer.

I am unable to PING .7 or .86.  I then unblocked IP .7 and the computer with IP .86 could again access the internet.

So, my question is, how can a computer be configured to use an IP address .86 that I can not PING AND the firewall thinks is a different IP .7.  Is this an indication that the firewall is bad?
0
handyjay
Asked:
handyjay
  • 2
2 Solutions
 
Sanga CollinsSystems AdminCommented:
There are a few reasons that this could be happening. computer .86 could be proxying traffic through .7. There could also be a route statement sending traffic from .86 through .7, and lastly there could be mapped ips causing this kind of behaviour.

I think you may have to use netscreen debugging to see whats going on. Try the following to get the debug results. From the command line (i am assuming 192.168.1.x/24 is your network

 
set ff src-ip 192.168.1.86 dst-ip <ip of website or other public ip address>
debug flow basic
clear db

Open in new window


.... start traffic test here. either ping the public ip or surf to website ip specified above

 
undebug all
get db str

Open in new window



The results will show exactly where the packets are going. You may want to try with a few different destination ip address and see more results.

you can do this by doing the following at the command line

unset ff
set ff src-ip <ip address> dst-ip <ip address>

src-ip and dst-ip are in a single command so the firewall knows to debug only traffic that matches both source and destination.
0
 
BrianCommented:
When it comes to not bing able to ping, there are a few possibilities. The most likely is a software firewall like the Windows Firewall or one built in to anti-virus software.

Another thought on multiple ips, does the computer in question have two nics or a wireless and wired connection that both could be on?
0
 
Sanga CollinsSystems AdminCommented:
just curious:  what was the problem in the end?
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now