Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Keeping creeps off my 1750's outside interface.

Status
Not open for further replies.
bubarooni

bubarooni

Technical User
Joined
May 13, 2001
Messages
506
Location
US
I have a router that seems to be under constant attack, or at the very least people are spoofing from it or something. I need a way to keep them off it.

The outside interface is a WIC-1ENET that is connected to a broadband connection.

Here is output from a show arp command:

Code: 
1750#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  12.166.94.217           2   0003.fdc2.e880  ARPA   Ethernet0
Internet  192.168.3.59            2   0001.0368.6da0  ARPA   FastEthernet0
Internet  192.168.3.58            3   0001.0209.f108  ARPA   FastEthernet0
Internet  192.168.3.55            1   0040.33d2.33b6  ARPA   FastEthernet0
Internet  192.168.3.53            5   000b.cd12.8b55  ARPA   FastEthernet0
Internet  192.168.3.11            7   0006.5bb4.a713  ARPA   FastEthernet0
Internet  192.168.3.1             -   0050.547d.51b4  ARPA   FastEthernet0
Internet  192.168.3.4             2   0001.e6ac.b6c0  ARPA   FastEthernet0
Internet  192.168.3.28            3   0001.0202.811d  ARPA   FastEthernet0
Internet  192.168.3.23            7   0001.0202.97c7  ARPA   FastEthernet0
Internet  12.166.x.x             -   000d.28dc.4939  ARPA   Ethernet0
Internet  12.166.x.x            17   0003.fdc2.e880  ARPA   Ethernet0
Internet  12.166.x.x            0   0003.fdc2.e880  ARPA   Ethernet0

The first entry is an offender, it's not mine. The bottom three are interface's external ip, next hop and dns server. The middle entries are all valid internal ip's. When I came in this morning this office complained about speed and I found about a hundred ip's like the first one listed. They are always listed as Ethernet0 which is that outside interface.

What can I do? Is there something I can do that will only allow the external ip, dns servers and next hop router on that outside interface? I do have a couple of access-groups on the router. A FromInside and FromOutside, but neither seems to affect the problem I have and I'm looking for a command or something I can add to either.
 
Sort by date Sort by votes
It looks like the arp entry might be from the local network, which is normal. What's the subnet mask in eth0?

This doesn't indicate that anyone is "on" the interface. When your router first contacts a local IP address, it adds it to the arp cache.

 
Upvote 0 Downvote
Still having the same problem...

the subnet mask for the the eth0 is 255.255.0.0. this is what my isp told me to put in.

when i reboot the router, all the extra 12.166.x.x's are gone and i have only the eth0's external ip, the next hop router and dns show up on eth0. as time goes by, more and more unknown 12.166.x.x's show up and performance starts to degrade. i thought maybe they were all taking a portion of my bandwidth.

i have 4 other sites and they never show all these additional ip's. is this perhaps a misconfiguration on the isp's part?
 
Upvote 0 Downvote
Check your default route. If it is something like:
ip route 0.0.0.0 0.0.0.0 ethernet0
With this the router will arp all traffic that passes through it.
If you specify an IP address for a next hop router then your router will only arp those specific wan ip addresses it sees along with the entire lan subnet and not everything on the internet.

Something like ip route 0.0.0.0 0.0.0.0 201.200.10.2
 
Upvote 0 Downvote
ip route 0.0.0.0 0.0.0.0 12.166.x.x is what i currently have. does that look right?

the e0 is configured thusly:

interface Ethernet0
description connected to the internet
ip address 12.166.x.xx 255.255.0.0
ip access-group 15 in
ip nat outside
no ip mroute-cache
no keepalive
half-duplex
crypto map towash

thanks!
 
Upvote 0 Downvote
Noticed something that may be causing you a speed issue. Your broadband connection is probaly 10/100 auto sensing but your wic is not and it is set to half duplex. Change E0 to duplex full, clear counters, and after a few minutes do a show interface ethernet 0 and look for CRC or frame errors. If you were to look at it right now it is probably loaded with collisions.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
512
DavetheChef
DavetheChef
PThomp3344
  • Locked
  • Question Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
671
nt8d09
nt8d09
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
545
CPM86
CPM86
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
787
madwok
madwok
testman1
  • Locked
  • Question Question
SIP telephone ring on second call
Replies
0
Views
437
testman1
testman1

Part and Inventory Search

Sponsor

Back
Top