You seem to be correct, someone on 68.84.8.41 is trying to access various other sites. One thing that is confusing in the log entries is the port number (0) which is being reported. Cisco access lists log the entry as port 0 when you don't explicitly specify the port number in the access list, so an ACL like : access-list 100 deny ip 10.0.0.0 0.255.255.255 any log will create logs with port 0 as the port, however ACLs like : access-list 100 deny tcp 10.0.0.0 0.255.255.255 any range 0 65535 log access-list 100 deny udp 10.0.0.0 0.255.255.255 any range 0 65535 log access-list 100 deny ip 10.0.0.0 0.255.255.255 any log will log the port numbers and produce a more understandable output - ie. you will be able to see which port and know which service the device is attempting to connecting to. Kerry Steven Lee said: > > > I am seeing this on my router syslog after I applied an access list on > the internal interface. Can anyone tell me what this could be? The > 68.84.8.41 is a comcast IP that is active on the network; however, > someone inside our network is attempting to use it to go out to other > sites? Thanks for your help. > > l7.Info X.X.X.X 38644: .Oct 21 13:40:27: %SEC-6-IPACCESSLOGP: list 101 > denied tcp 68.84.8.41(0) -> 67.34.160.17(0), 1 packet > 2002-10-21 13:35:37 Local7.Info X.X.X.X 38645: .Oct 21 13:40:28: % > SEC-6-IPACCESSLOGP: list 101 denied tcp 68.84.8.41(0) -> 217.121.116.154 > (0), 1 packet [snip] -- Kerry Thompson, CCNA CISSP Information Systems Security Consultant http://www.crypt.gen.nz kerryat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 21:08:06 PDT