Sould I be afraid?
- From: "Nathan Simpson" <nathansimpson@xxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Fri, 1 Mar 2002 19:57:55 -0700
Hi,
I was looking at the session information in ISA Console and I saw an IP
address that was way different from any PC on our network.
Our network uses 192.168.0.0 and this session was using the IP address
172.20.60.230 and was using the firewall service.
Only 192.168.10.1 - 192.168.61.254 are entered into the LAT.
I had a look in the firewall logs and I saw this IP entered. There was no
username information and most of time it had no IP address or hostname
that it was connecting to. Occassionaly there was an IP address that it
connected to. The address was 10.x.x.x (at home now can't remember).
I created a Packet Filter that denied this address from connecting to our
network.
There were entries in the packet filter log and these said 'Allowed'.
Only SMTP, POP, IMAP and FTP servers are published (all running on our
AS/400) and FTP is setup so only the IP address of the connecting PC
(which we know) can connect.
As you can see from above we have packet filters enabled but only for VPN
using PPTP and so we can ping out. You can't ping the firewall.
There are no other services running on the firewall. No SMTP, HTTP,
Telnet, FTP, HTTP.
What could it be?
This has got me worried.
TIA
Nathan Simpson
Australian Wool Handlers
Forest Rd
Lara Victoria 3212
Other related posts:
