Hi all, I am banging my head for some time now, so I think it is time to ask for assistance... I am sure I am overlooking the obvious, but I simply don't see it ;) As an example, I have those two log lines in my PIX log (a little sanitized, though). According to Cisco's message description (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslo g/pixemsgs.htm#xtocid5) this tells me that the local machine at 172.20.0.1 initiates a connection (via NAT) to 64.71.191.26. What makes me stumble are the ports. In the message, I see my local machine using port 1071 and connecting to pt 5780 on the remote one. --- 2003-01-31,18:20:20,2003-01-31,18:20:20,172.19.0.1,20,6,Jan 31 2003 17:12:41: %PIX-6-302005: Built UDP connection for faddr 64.71.191.26/5780 gaddr 10.6.190.187/1071 laddr 172.20.0.1/1071 2003-01-31,18:20:49,2003-01-31,18:20:49,172.19.0.1,20,6,Jan 31 2003 17:13:10: %PIX-6-302006: Teardown UDP connection for faddr 64.71.191.26/5780 gaddr 10.6.190.187/1071 laddr 172.20.0.1/1071 --- So far, so good. When I look now at a packet capture taken on 172.20.0.1, I see that the source port is indeed 1071 but the destination is 53 (DNS). The same holds true for the packet coming back. I did not (yet) take a packet capture at the Internet side of the firewall. Any explanation for this? Thanks, Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 11:47:58 PST