It should be easy to see on your firewall. I am assuming the firewall has at least 2 NIC's. It wouldn't be of much use if it didn't. Therefor it should be easy to find out where it comes from.

As for the private addresses, it could be possible (under certain conditions). I know for a fact that private addresses as a source will get routed over the Internet. Private destination addresses shouldn't but maybe somebody screwed up who's on the same segment as you.