IP Spoof

On a simple NT4 network lives a Sonic Wall Firewall. The logs indicate a IP Spoof detected and dropped. The source IP address is a private address and the MAC address is listed.

IP spoof detected - Source:192.168.81.1, 137, LAN - Destination:192.168.80.2, 137, WAN - MAC address: 00.0D.56.34.64.8B -

Here's my dilemma: The private range is not on my network, I'm using 10. So I assume that someone (Probably a MCSE - Sorry about that) has configured a device incorrectly and plugged into the LAN.

I have scanned the network for the MAC address with no luck. Address not found!

I'm not too worried about this but I would like to find out what's going on - any suggestions?

Thanks,

On what interface does this spoof get detected? That should give you a clue if it's originating from the inside or the outside. If it's from the outside (the Internet) you can safely ignore it since your firewall is dropping them.

SirDice:

Since the source and destination are private addresses and the mac address is listed, wouldn't the device have to be on the inside?

It should be easy to see on your firewall. I am assuming the firewall has at least 2 NIC's. It wouldn't be of much use if it didn't. Therefor it should be easy to find out where it comes from.

As for the private addresses, it could be possible (under certain conditions). I know for a fact that private addresses as a source will get routed over the Internet. Private destination addresses shouldn't but maybe somebody screwed up who's on the same segment as you.

www.komododigital.com

Go to their web site download newt.

Install and you will find your NIC

OK, the issue was a Cisco VPN Client. Vendor plugged into the network and launched his VPN software, the private address' showing as "Spoof IP's" were the virtual adaptor and virtual gateway.

This poses a few different questions, I'll try to address them in a later post. Thanks for the help.