IP Spoof

[dinowuff]

On a simple NT4 network lives a Sonic Wall Firewall. The logs indicate a IP Spoof detected and dropped. The source IP address is a private address and the MAC address is listed.

IP spoof detected - Source:192.168.81.1, 137, LAN - Destination:192.168.80.2, 137, WAN - MAC address: 00.0D.56.34.64.8B -

Here's my dilemma: The private range is not on my network, I'm using 10. So I assume that someone (Probably a MCSE - Sorry about that) has configured a device incorrectly and plugged into the LAN.

I have scanned the network for the MAC address with no luck. Address not found!

I'm not too worried about this but I would like to find out what's going on - any suggestions?

Thanks,

[SirDice]

On what interface does this spoof get detected? That should give you a clue if it's originating from the inside or the outside. If it's from the outside (the Internet) you can safely ignore it since your firewall is dropping them.

[dinowuff]

SirDice:

Since the source and destination are private addresses and the mac address is listed, wouldn't the device have to be on the inside?

[SirDice]

It should be easy to see on your firewall. I am assuming the firewall has at least 2 NIC's. It wouldn't be of much use if it didn't. Therefor it should be easy to find out where it comes from.

As for the private addresses, it could be possible (under certain conditions). I know for a fact that private addresses as a source will get routed over the Internet. Private destination addresses shouldn't but maybe somebody screwed up who's on the same segment as you.

[netman4ttm]

www.komododigital.com

Go to their web site download newt.

Install and you will find your NIC

[dinowuff]

OK, the issue was a Cisco VPN Client. Vendor plugged into the network and launched his VPN software, the private address' showing as "Spoof IP's" were the virtual adaptor and virtual gateway.

This poses a few different questions, I'll try to address them in a later post. Thanks for the help.