I often see a NAT UDP connection from one of the LAN PCs:
NAT: UDP 192.168.0.105:1027 <-> 192.168.10.19:161
Typically the connection will last for 53 s about every 4 mins and sends 424 bytes in.
I'm wondering what exactly this is, since there is no 192.168.10.x subnet present.
The setup is WG 6.2.0 (latest release) on Win2003 Server SP1. There are two fixed-IP external NICs (one is the gateway, the other is used for incoming VPN), and two internal fixed IP adapters (192.168.0.1 for wired LAN, and 192.168.5.1 for wireless). The server also runs IIS with two sharepoint sites (both set for NTLM auth.) and terminal services.
The clients are all running simple NAT, with local Mcafee Small Business firewall / antivirus, but there are no issues with this.
All of this runs just fine (well, except for WG VPN but that's another story). My question here is due mostly to security concerns -- should I be worried?
UDP 192.168.10.19:161
Moderator: Qbik Staff
3 posts
• Page 1 of 1
UDP 192.168.10.19:161
by drjohn999 » Jan 11 07 8:32 am
- drjohn999
- Posts: 33
- Joined: Feb 09 04 11:38 am
by adrien » Jan 11 07 1:01 pm
Hi
Since UDP doesn't have any connection capabilities, the only way for WinGate to clean up UDP sessions is to time them out, and the default timeout is about a minute, so that would explain the session duration.
As for IPs, obviously something on the machine 192.168.0.5 believes there is a machine at 192.168.10.19. You could try running Qbik PortList (part of the NetPatrol distribution) to see what applications are using what ports. It may show up.
Port 161 is the SNMP port (network management). So is there something on this machine that is trying to manage a piece of hardware at that address?
Adrien
Since UDP doesn't have any connection capabilities, the only way for WinGate to clean up UDP sessions is to time them out, and the default timeout is about a minute, so that would explain the session duration.
As for IPs, obviously something on the machine 192.168.0.5 believes there is a machine at 192.168.10.19. You could try running Qbik PortList (part of the NetPatrol distribution) to see what applications are using what ports. It may show up.
Port 161 is the SNMP port (network management). So is there something on this machine that is trying to manage a piece of hardware at that address?
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
by drjohn999 » Jan 11 07 6:06 pm
Hi Adrien,
Portlist shows an Epson scanner service listening on 161 and several other UDP ports. The scanner is plugged into USB, so I'm not sure what they're doing except possibly looking for scanners on the LAN in a generous and mis-directed effort to help (confuse) the user.
Anyway, Thanks for the tip and advice.
-- John
Portlist shows an Epson scanner service listening on 161 and several other UDP ports. The scanner is plugged into USB, so I'm not sure what they're doing except possibly looking for scanners on the LAN in a generous and mis-directed effort to help (confuse) the user.
Anyway, Thanks for the tip and advice.
-- John
- drjohn999
- Posts: 33
- Joined: Feb 09 04 11:38 am
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 3 guests