RE: PIX DNS Issue [7:72685]

[jhodge]

You will have to use the alias command or static dns command to all
translation from internal to external.

CCO site has great examples of your situation.

Cheers,

Jamie

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Stevo
Sent: July 21, 2003 11:27 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX DNS Issue [7:72685]

You know I've had similar weirdness with my Pix (6.3) and DNS.

I have 2 internal AD DNS servers and 2 external BIND DNS servers.  The 2
external DNS servers sit outside the PIX and AD DNS server obviously sit
behind the Pix on the inside network.

I have a host mail that has a different DNS entry on both internal and
external name servers.  Let's say internally the IP is 10.1.1.10 and
externally 203.132.60.10.  When I am on a host on the internal network
and
query the external name server it seems like the response comes from the
internal dns server...  example below:

I'm trying to resolve mail on the external name server.  When I'm on the
external name server (or outside the Pix) the response is always
203.132.60.10.  However, when I'm on an internal host and do a look up
against the external name server I get 10.1.1.10 as the answer
everytime!

So it seems like the Pix is grabbing that DNS query and sending it to
the
internal name server instead of letting it through...

Any ideas as to why??

Stevo


 wrote in message
news:[EMAIL PROTECTED]
 PIX treats DNS queries little different, especially replies.  The
client
 has the potential of contacting multiple DNS servers sequentially in
the
 event the first one experiencing some delays.  The PIX keeps track of
 all them and allows one reply to come back through.  I'm not sure if
 things changed in the version but its a good idea to check..  HTH

 Thanks...Nabil

 I have never let my schooling interfere with my education.



   Andrew
 Larkins

 cc:
   Sent by:   Subject:  RE: PIX DNS
Issue
 [7:72685]

 [EMAIL PROTECTED]

 om


   07/21/2003 09:41
 AM
   Please respond
 to
   Andrew
 Larkins






 Please send the config and we can have a look.

 -Original Message-
 From: Tunde Kalejaiye [mailto:[EMAIL PROTECTED]
 Sent: 21 July 2003 11:57
 To: [EMAIL PROTECTED]
 Subject: PIX DNS Issue [7:72685]


 I swapped a router running ios firewall with a pix 506e and i have
been
 having
 all sorts of issues. first, is the DNSall clients use an internal
 DNS
 server which forwards all request to an external DNS serverthis
 works
 fine
 with the router but with the PIX it doesnt work. when i configured the
 clients
 to use the external DNS server everything worked fine. The pix box is
 running
 the 6.3 code.


 i know i am missing something...but can't figure it out yet...i really
 would
 appreciate any comments.

 regards,

 Tunde




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72717t=72685
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access list or Conduit? [7:72514]

[jhodge]

You can use the icmp permit to allow the icmp through. 
As well cisco recommends you allow unreachable through for SIP.

By default all PIX interfaces will respond to icmp echo-reply.  You must
deny this with the icmp deny command.  As well you can you a acl to
apply to the icmp permit match acl command, to make the icmp
echo-request more granular.

Conduits are the old way of blasting a hole in the pix.  Cisco
recommends the trend of acl and icmp permit statement to mitigate
attacks.

Cheers,

Jamie

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Lynne Padgett
Sent: July 17, 2003 7:09 PM
To: [EMAIL PROTECTED]
Subject: RE: Access list or Conduit? [7:72514]

I agree.  If I recall correctly, this change was implemented in the
later
versions of 5.x and conduits aren't used at all in the 6.x versions.
Cisco
did this to make the firewall code more IOS like.

 -Original Message-
From:   Wilmes, Rusty
Sent:   Thu Jul 17 20:37:15 2003
To: [EMAIL PROTECTED]
Subject:RE: Access list or Conduit? [7:72514]

my understanding is conduits are the same as access lists but are being
phased out and replaced by access lists so that syntax is more uniform
across platforms.

-Original Message-
From: E. Keith J. [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 17, 2003 2:12 PM
To: [EMAIL PROTECTED]
Subject: Access list or Conduit? [7:72514]


Hi all

 

The boss wants to allow ping.

In the website I found the way by using an access list.

In another config I see a conduit is used.

 

What is the difference between using a conduit and an access list to
allow
ping

 

Is it that a conduit is to a specific host 

Rather than permit any?

 

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72552t=72514
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Internet is very slow behind Pix 515E UR [7:70783]

[jhodge]

The new version of PIX 6.3(1) allows for the turbo acl to be activated
for acl's longer than 19 lines.

Look at turning it on and seeing if the latency decreases.

Cheers,

Jamie

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Steve Wilson
Sent: June 17, 2003 10:26 AM
To: [EMAIL PROTECTED]
Subject: RE: Internet is very slow behind Pix 515E UR [7:70783]

Try taking the access-lists off the interfaces and try again. The access
control list acting on the interfaces means that every single packet
going
through the interface is inspected. 

Steve Wilson 
Network Engineer


-Original Message-
From: Ismail Al-Shelh [mailto:[EMAIL PROTECTED] 
Sent: 17 June 2003 16:19
To: [EMAIL PROTECTED]
Subject: Internet is very slow behind Pix 515E UR [7:70783]

Whenever I access the web site which is behind the Pix firewalls, the
speed
is really slow. 

I bypassed the firewall and accessed the same site and it's fast! 

I checked my settings and made sure all the connected devices are
running at
100 and full duplex, they all are! 

I mean why this is happening ... is it because the pix have to inspect
each
packet! 

The Bandwidth from the service provider is 64k. 

Any Idea Please. 


Any ideas?
 
 
The Pix version is 6.1 besides this is satellite connection 

The internal Address range is 191.1.1.0-191.1.1.254 255.255.0.0 
Outside address range is 10.15.9.163-183 255.255.255.224 
Default Gateway: 10.15.9.62 255.255.255.224 
DNS1: 195.238.62.1 
DNS2: 195.238.40.30 




AN# show config 
: Saved 
: 
PIX Version 6.1(4) 
nameif ethernet0 outside security0 
nameif ethernet1 inside security100 
nameif ethernet2 intf2 security10 
enable password kC9ZDwfWejkBqApp encrypted 
passwd 2KFQnbNIdI.2KYOU encrypted 
hostname AN 
domain-name ciscopix.com 
fixup protocol ftp 21 
fixup protocol http 80 
fixup protocol h323 1720 
fixup protocol rsh 514 
fixup protocol rtsp 554 
fixup protocol smtp 25 
fixup protocol sqlnet 1521 
fixup protocol sip 5060 
fixup protocol skinny 2000 
names 
access-list acl_in permit icmp any any 
access-list acl_in permit udp any any 
access-list acl_in permit tcp any any 
pager lines 10 
logging buffered debugging 
interface ethernet0 100basetx 
interface ethernet1 100basetx 
interface ethernet2 auto shutdown 
mtu outside 1500 
mtu inside 1500 
mtu intf2 1500 
ip address outside 10.15.9.163 255.255.255.224 
ip address inside 191.1.1.85 255.255.0.0 
ip address intf2 127.0.0.1 255.255.255.255 
ip audit info action alarm 
ip audit attack action alarm 
pdm history enable 
arp timeout 14400 
global (outside) 1 10.15.9.164-10.15.9.180 
global (outside) 1 10.15.9.181 
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 
access-group acl_out in interface outside 
access-group acl_in in interface inside 
route outside 0.0.0.0 0.0.0.0 10.15.9.163 1 
timeout xlate 3:00:00 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si 
p 0:30:00 sip_media 0:02:00 
timeout uauth 0:05:00 absolute 
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
http server enable 
no snmp-server location 
no snmp-server contact 
snmp-server community public 
no snmp-server enable traps 
floodguard enable 
no sysopt route dnat 
telnet 0.0.0.0 0.0.0.0 inside 
telnet timeout 5 
ssh timeout 5 
terminal width 80 
Cryptochecksum:97ca54591b41f6b215dabb457fe7c9de 
AN#  


 
Ismail Al-Shelh

[GroupStudy removed an attachment of type image/gif which had a name of
image001.gif]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70897t=70783
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: copying flash FROM PIX? [7:70731]

[jhodge]

If you have access for the new software, then just download the present
Finesse OS as well.  I do not believe a command exist to bring the code
to a tftp server.

I have recently upgrade to 6.3(1).  You will have to download the newer
PDM 3.1 as well.  The present PDM you are running will not run on the
new 6.3(1).

Cheers,

Jamie

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Wright, Jeremy
Sent: June 16, 2003 9:26 AM
To: [EMAIL PROTECTED]
Subject: RE: copying flash FROM PIX? [7:70731]

try write net ?

-Original Message-
From: Brad Dodds [mailto:[EMAIL PROTECTED]
Sent: Monday, June 16, 2003 10:41 AM
To: [EMAIL PROTECTED]
Subject: copying flash FROM PIX? [7:70731]


Going to upgrade to ver 6.3 but I wanted to save the old image to tftp
server first

copy flash tftp doesn't work
CiscoPIX515E# sh ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

CiscoPIX515E# copy flash ?
Usage:  copy capture: tftp:/// [pcap]
copy http[s]://[:@][:]/
flash[:[image | pdm]]
copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]]
CONFIDENTIALITY NOTICE: 
This message is intended for the use of the individual or entity
to
which it is addressed and may contain information that is privileged,
confidential and exempt from disclosure under applicable law.  If the
reader
of this message is not the intended recipient or the employee or agent
responsible for delivering this message to the intended recipient, you
are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.
If you have received this communication in error, please notify
us
immediately by email reply or by telephone and immediately delete this
message and any attachments.  In the U.S. call us toll free at (800)
637-5843.
Spanish, French, Quebecois French, Portuguese, Polish, German,
Dutch, Turkish, Russian, Japanese and Chinese:
http://www.admworld.com/confidentiality.htm.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70844t=70731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: cisco 2511 Terminal Server for my first time! [7:53791]

[jhodge]

I would highly recommend you use the ip host command for your telnet
connections.  Bring down the possibility of fat fingering the keyboard.

You should configure the loopback ip address for the reverse telnet

E.g.
---
conf term
interface loopback 0
ip address 192.168.1.1 255.255.255.255
exit

ip host test 2001 192.168.1.1 

line 1 16
no exec
transport input all
exit


Then type test to go to the device that is off the octal cable position
1.

Cheers,

Jamie


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jonathan V Hays
Sent: June 17, 2003 12:11 PM
To: [EMAIL PROTECTED]
Subject: Re: cisco 2511 Terminal Server for my first time! [7:53791]

??? wrote:
 Hi,
 
 I am setting up 2511 terminal server for my first time, but don't
work...
 
 this is my 2511 configuration :
 
 
 line con 0
 
 line 1 16
 session-timeout 20
 exec-timeout 0 0
 
 line aux 0
 
 line vty 0 4
 password
 login
 
 
 In above, i found i missed one command in line con 0 prompt.
 -- line con 0
 transport input all
 So, i tried to type the command, but couldn't. The result is
 
 --
 Router#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#line con 0
 Router(config-line)#transport input all
 ^
 % Invalid input detected at '^' marker.
 
 Router(config-line)#
 --
 
 I don't know why the command can't be input. There is the command In
 cisco documentation.
 (http://www.cisco.com/warp/public/793/access_dial/comm_server.html)
 
 Anyone can help me?
 
 sooil..
 
 [TABLE NOT SHOWN][TABLE NOT SHOWN][IMAGE]
You are putting the command in the wrong line. Put it here:

line 1 16
  no exec
  transport input all

Also, you do not state what command you are using to test with.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70843t=53791
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Liming netbios connections [7:70883]

[jhodge]

You could use traffic-shape command


interface serial 1
traffic-shape group 101 128000 16000 8000
 
You must calculate the bit-rate that is suitable for your medium.

The group 101 relates to access group.

In your case you can have all networks 

Access-list 101 permit 0.0.0.0 0.0.0.0 eq 135

You could as well just limit the hosts that are causing the problem.
But overall you should diagnose if they are compromised hosts.  


Cheers,

Jamie
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Marakalas
Sent: June 18, 2003 1:18 PM
To: [EMAIL PROTECTED]
Subject: Liming netbios connections [7:70883]

Hi all

I have a problem on the network where some machines a
establishing a lot of netbios connections on the
network and almost consuming all the bandwidth. How do
I configure the ingress interface to set the limit on
the number of connections that each machine can have?
Your urgent response will be highly appreciated. This
might be related to the virus.

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70896t=70883
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Passed CID 3.0 Test [7:62536]

[jhodge]

Curious about this test, did it include the IPX and Appletalk?  I
completed the CCDA last week and it had IPX and appletalk questions.

Cheers,

Jamie

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Joseph R. Taylor
Sent: February 5, 2003 1:00 PM
To: [EMAIL PROTECTED]
Subject: RE: Passed CID 3.0 Test [7:62536]

Hi Steve,
   Congrats. I'm working on the CSPFA myself.
 JoeT




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62686t=62536
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: RE: : Influencing EIGRP to use GRE tunnels over Serial link [7:60888]

[jhodge]

Thank you for all that responded to this. Found out that I had to
influence the route using the bandwidth and delay properties to change
the primary route to MPLS instead of the frame relay link.

Cheers,

Jamie

-Original Message-
From: Amar KHELIFI [mailto:[EMAIL PROTECTED]] 
Sent: January 11, 2003 3:15 PM
To: [EMAIL PROTECTED]
Subject: Re: RE: : Influencing EIGRP to use GRE tunnels over Serial link
[7:60840]




 Sorry, but i lacked to enphasis some important points that affect the
((bandwith)) command, it is true that the bandwith command affectes
 only igrp and eigrp route selection, and that it has nothing to do
with
the
 actual clock, that is left to the ((clock rate)) command.
 it is, how ever a good practice in large environments to coordone the
 bandwith used for specific interfaces throughout the hall network that
way
 the interface type can be predictable in any hope your viewing the
routing
 table @, but you don't have to bother yourself with if you just have a
hub
 and spoke topologie that is not very large, and even though in which
case
 you would implement stubing as it is the most scalable solution in
that
 scenario.

 excuse the lack of info in the previous message

 Best Regards,
 Amar
 CCNA, CCNP

 - Original Message -
 From: Amar KHELIFI 
 To: 
 Sent: Saturday, January 11, 2003 9:30 PM
 Subject: Re: RE: : Influencing EIGRP to use GRE tunnels over Serial
link
 [7:60840]


 
  the BW of the tunnel should not be over that of the T1, assuming all
 traffic
  will use the tuunel interface to get to the other site
  the best way if you are only paasing traffic for a particular
network,
is
 to
  messure the bw used to reach the net by using ip accounting or
netflow
if
  you the necessaey ios and hw, and calculate it based on the
monitored
time
  to have an average which you will use to split the bandwith between
the
  Physical and logical interfaces.
  Hope this helps
  Best Regards
  Amar
  CCNA CCNP
  PS i don't know why i can't send messages to the group
  - Original Message -
  From: 
  Newsgroups: groupstudy.cisco
  Sent: Friday, January 10, 2003 8:53 PM
  Subject: Re: RE: : Influencing EIGRP to use GRE tunnels over Serial
link
  [7:60840]
 
 
   Thank you for the response.  Another peice of the puzzle is that I
 believe
   there are two way to influence the EIGRP Table.  I could increase
the
   10.x.x.x tunnel bandwidth or I could advertise the 64.200.x.x
network
in
 to
   the EIGRP metric. Presently the 64.200.x.x network is not
advertised
in
  the
   eigrp table, only the 10.x.x.x is.  I believe this is a situation
of
two
  way
   to 'skin' the cat.  Just wondering what way is preferred over the
other.
  
   To further convolude the situation I have another engineer here
that
  believe
   the delay should be manipulated instead of the bandwidth.
  
   Any suggestions are appreciated.
  
   Cheers,
  
   Jamie
  
   - Original Message -
   From: Georgescu, Aurelian
   Date: Friday, January 10, 2003 11:21 am
   Subject: RE: : Influencing EIGRP to use GRE tunnels over Serial
link
   [7:60834]
  
You have to put a bandwidth statement under the tunnel
interfaces as well,
with a higher value than FR.
   
Aurelian Georgescu
   
   
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 2:00 PM
To: [EMAIL PROTECTED]
Subject: : Influencing EIGRP to use GRE tunnels over Serial link
[7:60834]
Hello all,
   
I have a question.  I have gre tunnels going through MPLS
running
1.544mbps,running EIGRP.  The secondary links are Frame Relay
links running at 256kbps
per link.  Presently EIGRP has calculated the best link to be
the
SprintLink as there are bandwidth statements in the frame relay
subinterface on
the remote site:
   
Remote Site In Tampa:
interface Serial0/0.2 point-to-point
description Connect to Seattle
bandwidth 256
ip address 192.168.228.253 255.255.255.0
no ip mroute-cache
no cdp enable
frame-relay interface-dlci 41
   
interface Tunnel1
description Tampa Tunnel to Seattle
ip address 10.0.48.6 255.255.255.252
tunnel source Serial0/1
tunnel destination 64.200.134.18
!
The Tamp Site connects with Seattle Hub with these configs:
   
interface Tunnel1
description Seattle Tunnel to Tampa
ip address 10.0.48.5 255.255.255.252
tunnel source Serial2/0
tunnel destination 64.200.118.162
end
   
interface Serial0/0.8 point-to-point
description  Seattle to Tampa
bandwidth 256
ip address 192.168.228.254 255.255.255.0
no ip route-cache
no ip mroute-cache
no cdp enable
frame-relay interface-dlci 39
   
I believe the best way to influence EIGRP would be to add a
bandwidth
statement to the tunnel or the interface to which the tunnel is
applied to.
   
One other question.  T1 1.544mbps would be 193000 in the

RE: Possible Attack???? [7:59813]

[jhodge]

Not sure if this will help, but you could enable ip accounting on the
uplink interface to the switch.  Watch for the address that is pouring
out the most requests. Then use sho ip arp x.x.x.x to find the mac
address.  From there you could go to the switch and do a show cam
dynamic or if IOS version, show mac-address-table with the mac address
found with the most requests.  This would hunt down the culprit machine
without a person walking to each individual machine.

Cheers,


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Sam Sneed
Sent: December 27, 2002 1:04 PM
To: [EMAIL PROTECTED]
Subject: Re: Possible Attack [7:59813]

Do you run SNMP and mrtg on theswitch? You can than graphically see
which
host has been pouring out all the traffic with ease.

 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Thanks Priscilla.  I figure it was some sort of spoofing which is what
I
 ended up reporting last night.  The traffic on the edge router is
under
 controll.  I was able to narrow down which VLAN on the switch it was
coming
 in on.  There is someone going onsite this morning and we are going to
work
 on narrawing down the actual culprit PC.  It should not be difficult
to
spot
 by looking at the LED on the switch (I hope).  The attack seems to
come in
 spurts but when it comes, I see anywhere from about 3000-15000 packets
per
 second that last about 10 seconds.  The weird thing is that when I
remove
 the access-list that is currently filtering the 127 address, the
attack
last
 much longer.  It is almost like it knows that the access-list has been
 removed.  Since the traffic that I am filtering is not related to ICMP
then
 I know that I am not sending out any Unreachable message back to the
source.





 Thanks,

 Mario Puras
 SoluNet Technical Support
 Mailto: [EMAIL PROTECTED]
 Direct: (321) 309-1410
 888.449.5766 (USA) / 888.SOLUNET (Canada)



 -Original Message-
 From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, December 26, 2002 10:57 PM
 To: [EMAIL PROTECTED]
 Subject: RE: Possible Attack [7:59813]


 Sending with a source address of 127.x.x.x is often used in IP
spoofing.
You
 should try to find out which station is doing this. It could be
compromised.
 Of course, it will be hard to find, but if the packets haven't crossed
a
 router, the MAC address will have a clue. The first six bytes of the
MAC
 address are a vendor code. Of course, if all your equipment is from
one
 vendor, that doesn't help much!

 The destination address of  108.122.0.0 is strange also. I looked it
up in
 the ARIN Whois database and it says it's part of a range reserved by
IANA.
 I'm not sure why it's reserved, but it seems like a suspicious address
to
 use.

 So, you're doing the right thing to filter out these packets.

 But you said the problem remained. The other thing I noticed that's
strange
 is probably unrelated to a possible attack.

 Why are 75% of your packets in the 1-32 byte range? Those are illegal
runt
 frames on Ethernet. Could you have a duplex mismatch problem?? You
should
 check the output of show int Fa0/1.

 Good luck!

 Priscilla

 [EMAIL PROTECTED] wrote:
 
  Hi all.  I was wondering if someone can share some light on a
  wierd issues
  that I am seeing.  This perhaps maybe an attack from an
  internal or infected
  host within the network or simply a malfunctioning NIC.
  Basically, I have a
  Cisco 3662 with 2 Satellite links.  I noticed that the main WAN
  link
  (1.544mb) was bursting outbound to sometimes 20mb.  I noticed a
  lot of
  output drops and the links started to flap and as a result BGP
  sessions
  starting going down causing huge problems.  Once I was able to
  get the BGP
  under control, I enabled Netflow on the inbound interface
  (FE0/1) to see
  what type of traffic could be causing this issue and this is
  when I noticed
  the below:
 
 
  Here is the output of the Netflow:
 
  cisco_3600_one#show ip cache flow
  IP packet size distribution (4096357 total packets):
 1-32   64   96  128  160  192  224  256  288  320  352  384
  416  448
  480
 .753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000
  .000 .000
  .000
 
  512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
 .000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000
 
  IP Flow Switching Cache, 278544 bytes
978 active, 3118 inactive, 121929 added
2503952 ager polls, 0 flow alloc failures
last clearing of statistics never
  Protocol TotalFlows   Packets Bytes  Packets
  Active(Sec)
  Idle(Sec)
   Flows /Sec /Flow  /Pkt /Sec
  /Flow /Flow
  TCP-Telnet  41  0.05040  0.0
  31.3  14.4
  TCP-FTP 87  0.0 765  0.0
  17.0  12.1
  TCP-FTPD27  0.0   135   211  0.0
  83.0   3.5
  TCP-WWW  43121  0.3 8   335  2.8
  3.6   2.7
  TCP-SMTP