New source port for each outbound FTP connection probably. Symon
-----Original Message----- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: 13 March 2003 18:12 To: [EMAIL PROTECTED] Subject: Re: PIX Question [7:65095] I don't understand why the xlate table would grow. I can understand the connections table growing, sure, but did the PIX really re-translate the same internal address over 7000 times in just few minutes? John >>> Scott Roberts 3/13/03 11:08:29 AM >>> strange that it would create another translation instead of using the old one?? I suppose its more an error in the client software thinking it still has a valid server connection and tries to open a brand new one then. the only thing that comes to my mind would be to expire your translations faster, but I've never done this, so I don't even know if its possible. scott ""Manny"" wrote in message news:[EMAIL PROTECTED] > I ran into a situation today where we had a machine that was trying to > FTP through the firewall. We allow FTP outbound. The problem that came > up was that the user had no idea that an FTP client was setup on his > machine. The FTP client (spyware) kept trying to connect to a server > (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry > was created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an > incident of this nature with the xlate table has occurred. How can I > monitor the xlate table for strange behavior? ============================================= This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. ============================================= ===================================== Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65406&t=65095 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
