RE: PIX DNS Issue [7:72685]
You will have to use the alias command or static dns command to all translation from internal to external. CCO site has great examples of your situation. Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stevo Sent: July 21, 2003 11:27 AM To: [EMAIL PROTECTED] Subject: Re: PIX DNS Issue [7:72685] You know I've had similar weirdness with my Pix (6.3) and DNS. I have 2 internal AD DNS servers and 2 external BIND DNS servers. The 2 external DNS servers sit outside the PIX and AD DNS server obviously sit behind the Pix on the inside network. I have a host mail that has a different DNS entry on both internal and external name servers. Let's say internally the IP is 10.1.1.10 and externally 203.132.60.10. When I am on a host on the internal network and query the external name server it seems like the response comes from the internal dns server... example below: I'm trying to resolve mail on the external name server. When I'm on the external name server (or outside the Pix) the response is always 203.132.60.10. However, when I'm on an internal host and do a look up against the external name server I get 10.1.1.10 as the answer everytime! So it seems like the Pix is grabbing that DNS query and sending it to the internal name server instead of letting it through... Any ideas as to why?? Stevo wrote in message news:[EMAIL PROTECTED] PIX treats DNS queries little different, especially replies. The client has the potential of contacting multiple DNS servers sequentially in the event the first one experiencing some delays. The PIX keeps track of all them and allows one reply to come back through. I'm not sure if things changed in the version but its a good idea to check.. HTH Thanks...Nabil I have never let my schooling interfere with my education. Andrew Larkins cc: Sent by: Subject: RE: PIX DNS Issue [7:72685] [EMAIL PROTECTED] om 07/21/2003 09:41 AM Please respond to Andrew Larkins Please send the config and we can have a look. -Original Message- From: Tunde Kalejaiye [mailto:[EMAIL PROTECTED] Sent: 21 July 2003 11:57 To: [EMAIL PROTECTED] Subject: PIX DNS Issue [7:72685] I swapped a router running ios firewall with a pix 506e and i have been having all sorts of issues. first, is the DNSall clients use an internal DNS server which forwards all request to an external DNS serverthis works fine with the router but with the PIX it doesnt work. when i configured the clients to use the external DNS server everything worked fine. The pix box is running the 6.3 code. i know i am missing something...but can't figure it out yet...i really would appreciate any comments. regards, Tunde Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72717t=72685 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
You can use the icmp permit to allow the icmp through. As well cisco recommends you allow unreachable through for SIP. By default all PIX interfaces will respond to icmp echo-reply. You must deny this with the icmp deny command. As well you can you a acl to apply to the icmp permit match acl command, to make the icmp echo-request more granular. Conduits are the old way of blasting a hole in the pix. Cisco recommends the trend of acl and icmp permit statement to mitigate attacks. Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lynne Padgett Sent: July 17, 2003 7:09 PM To: [EMAIL PROTECTED] Subject: RE: Access list or Conduit? [7:72514] I agree. If I recall correctly, this change was implemented in the later versions of 5.x and conduits aren't used at all in the 6.x versions. Cisco did this to make the firewall code more IOS like. -Original Message- From: Wilmes, Rusty Sent: Thu Jul 17 20:37:15 2003 To: [EMAIL PROTECTED] Subject:RE: Access list or Conduit? [7:72514] my understanding is conduits are the same as access lists but are being phased out and replaced by access lists so that syntax is more uniform across platforms. -Original Message- From: E. Keith J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72552t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internet is very slow behind Pix 515E UR [7:70783]
The new version of PIX 6.3(1) allows for the turbo acl to be activated for acl's longer than 19 lines. Look at turning it on and seeing if the latency decreases. Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Wilson Sent: June 17, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: RE: Internet is very slow behind Pix 515E UR [7:70783] Try taking the access-lists off the interfaces and try again. The access control list acting on the interfaces means that every single packet going through the interface is inspected. Steve Wilson Network Engineer -Original Message- From: Ismail Al-Shelh [mailto:[EMAIL PROTECTED] Sent: 17 June 2003 16:19 To: [EMAIL PROTECTED] Subject: Internet is very slow behind Pix 515E UR [7:70783] Whenever I access the web site which is behind the Pix firewalls, the speed is really slow. I bypassed the firewall and accessed the same site and it's fast! I checked my settings and made sure all the connected devices are running at 100 and full duplex, they all are! I mean why this is happening ... is it because the pix have to inspect each packet! The Bandwidth from the service provider is 64k. Any Idea Please. Any ideas? The Pix version is 6.1 besides this is satellite connection The internal Address range is 191.1.1.0-191.1.1.254 255.255.0.0 Outside address range is 10.15.9.163-183 255.255.255.224 Default Gateway: 10.15.9.62 255.255.255.224 DNS1: 195.238.62.1 DNS2: 195.238.40.30 AN# show config : Saved : PIX Version 6.1(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 enable password kC9ZDwfWejkBqApp encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname AN domain-name ciscopix.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list acl_in permit icmp any any access-list acl_in permit udp any any access-list acl_in permit tcp any any pager lines 10 logging buffered debugging interface ethernet0 100basetx interface ethernet1 100basetx interface ethernet2 auto shutdown mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 10.15.9.163 255.255.255.224 ip address inside 191.1.1.85 255.255.0.0 ip address intf2 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 10.15.9.164-10.15.9.180 global (outside) 1 10.15.9.181 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group acl_out in interface outside access-group acl_in in interface inside route outside 0.0.0.0 0.0.0.0 10.15.9.163 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:97ca54591b41f6b215dabb457fe7c9de AN# Ismail Al-Shelh [GroupStudy removed an attachment of type image/gif which had a name of image001.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70897t=70783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: copying flash FROM PIX? [7:70731]
If you have access for the new software, then just download the present Finesse OS as well. I do not believe a command exist to bring the code to a tftp server. I have recently upgrade to 6.3(1). You will have to download the newer PDM 3.1 as well. The present PDM you are running will not run on the new 6.3(1). Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, Jeremy Sent: June 16, 2003 9:26 AM To: [EMAIL PROTECTED] Subject: RE: copying flash FROM PIX? [7:70731] try write net ? -Original Message- From: Brad Dodds [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 10:41 AM To: [EMAIL PROTECTED] Subject: copying flash FROM PIX? [7:70731] Going to upgrade to ver 6.3 but I wanted to save the old image to tftp server first copy flash tftp doesn't work CiscoPIX515E# sh ver Cisco PIX Firewall Version 6.2(2) Cisco PIX Device Manager Version 2.1(1) CiscoPIX515E# copy flash ? Usage: copy capture: tftp:/// [pcap] copy http[s]://[:@][:]/ flash[:[image | pdm]] copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] CONFIDENTIALITY NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email reply or by telephone and immediately delete this message and any attachments. In the U.S. call us toll free at (800) 637-5843. Spanish, French, Quebecois French, Portuguese, Polish, German, Dutch, Turkish, Russian, Japanese and Chinese: http://www.admworld.com/confidentiality.htm. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70844t=70731 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: cisco 2511 Terminal Server for my first time! [7:53791]
I would highly recommend you use the ip host command for your telnet connections. Bring down the possibility of fat fingering the keyboard. You should configure the loopback ip address for the reverse telnet E.g. --- conf term interface loopback 0 ip address 192.168.1.1 255.255.255.255 exit ip host test 2001 192.168.1.1 line 1 16 no exec transport input all exit Then type test to go to the device that is off the octal cable position 1. Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan V Hays Sent: June 17, 2003 12:11 PM To: [EMAIL PROTECTED] Subject: Re: cisco 2511 Terminal Server for my first time! [7:53791] ??? wrote: Hi, I am setting up 2511 terminal server for my first time, but don't work... this is my 2511 configuration : line con 0 line 1 16 session-timeout 20 exec-timeout 0 0 line aux 0 line vty 0 4 password login In above, i found i missed one command in line con 0 prompt. -- line con 0 transport input all So, i tried to type the command, but couldn't. The result is -- Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line con 0 Router(config-line)#transport input all ^ % Invalid input detected at '^' marker. Router(config-line)# -- I don't know why the command can't be input. There is the command In cisco documentation. (http://www.cisco.com/warp/public/793/access_dial/comm_server.html) Anyone can help me? sooil.. [TABLE NOT SHOWN][TABLE NOT SHOWN][IMAGE] You are putting the command in the wrong line. Put it here: line 1 16 no exec transport input all Also, you do not state what command you are using to test with. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70843t=53791 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Liming netbios connections [7:70883]
You could use traffic-shape command interface serial 1 traffic-shape group 101 128000 16000 8000 You must calculate the bit-rate that is suitable for your medium. The group 101 relates to access group. In your case you can have all networks Access-list 101 permit 0.0.0.0 0.0.0.0 eq 135 You could as well just limit the hosts that are causing the problem. But overall you should diagnose if they are compromised hosts. Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marakalas Sent: June 18, 2003 1:18 PM To: [EMAIL PROTECTED] Subject: Liming netbios connections [7:70883] Hi all I have a problem on the network where some machines a establishing a lot of netbios connections on the network and almost consuming all the bandwidth. How do I configure the ingress interface to set the limit on the number of connections that each machine can have? Your urgent response will be highly appreciated. This might be related to the virus. __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70896t=70883 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passed CID 3.0 Test [7:62536]
Curious about this test, did it include the IPX and Appletalk? I completed the CCDA last week and it had IPX and appletalk questions. Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joseph R. Taylor Sent: February 5, 2003 1:00 PM To: [EMAIL PROTECTED] Subject: RE: Passed CID 3.0 Test [7:62536] Hi Steve, Congrats. I'm working on the CSPFA myself. JoeT Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62686t=62536 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RE: : Influencing EIGRP to use GRE tunnels over Serial link [7:60888]
Thank you for all that responded to this. Found out that I had to influence the route using the bandwidth and delay properties to change the primary route to MPLS instead of the frame relay link. Cheers, Jamie -Original Message- From: Amar KHELIFI [mailto:[EMAIL PROTECTED]] Sent: January 11, 2003 3:15 PM To: [EMAIL PROTECTED] Subject: Re: RE: : Influencing EIGRP to use GRE tunnels over Serial link [7:60840] Sorry, but i lacked to enphasis some important points that affect the ((bandwith)) command, it is true that the bandwith command affectes only igrp and eigrp route selection, and that it has nothing to do with the actual clock, that is left to the ((clock rate)) command. it is, how ever a good practice in large environments to coordone the bandwith used for specific interfaces throughout the hall network that way the interface type can be predictable in any hope your viewing the routing table @, but you don't have to bother yourself with if you just have a hub and spoke topologie that is not very large, and even though in which case you would implement stubing as it is the most scalable solution in that scenario. excuse the lack of info in the previous message Best Regards, Amar CCNA, CCNP - Original Message - From: Amar KHELIFI To: Sent: Saturday, January 11, 2003 9:30 PM Subject: Re: RE: : Influencing EIGRP to use GRE tunnels over Serial link [7:60840] the BW of the tunnel should not be over that of the T1, assuming all traffic will use the tuunel interface to get to the other site the best way if you are only paasing traffic for a particular network, is to messure the bw used to reach the net by using ip accounting or netflow if you the necessaey ios and hw, and calculate it based on the monitored time to have an average which you will use to split the bandwith between the Physical and logical interfaces. Hope this helps Best Regards Amar CCNA CCNP PS i don't know why i can't send messages to the group - Original Message - From: Newsgroups: groupstudy.cisco Sent: Friday, January 10, 2003 8:53 PM Subject: Re: RE: : Influencing EIGRP to use GRE tunnels over Serial link [7:60840] Thank you for the response. Another peice of the puzzle is that I believe there are two way to influence the EIGRP Table. I could increase the 10.x.x.x tunnel bandwidth or I could advertise the 64.200.x.x network in to the EIGRP metric. Presently the 64.200.x.x network is not advertised in the eigrp table, only the 10.x.x.x is. I believe this is a situation of two way to 'skin' the cat. Just wondering what way is preferred over the other. To further convolude the situation I have another engineer here that believe the delay should be manipulated instead of the bandwidth. Any suggestions are appreciated. Cheers, Jamie - Original Message - From: Georgescu, Aurelian Date: Friday, January 10, 2003 11:21 am Subject: RE: : Influencing EIGRP to use GRE tunnels over Serial link [7:60834] You have to put a bandwidth statement under the tunnel interfaces as well, with a higher value than FR. Aurelian Georgescu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 2:00 PM To: [EMAIL PROTECTED] Subject: : Influencing EIGRP to use GRE tunnels over Serial link [7:60834] Hello all, I have a question. I have gre tunnels going through MPLS running 1.544mbps,running EIGRP. The secondary links are Frame Relay links running at 256kbps per link. Presently EIGRP has calculated the best link to be the SprintLink as there are bandwidth statements in the frame relay subinterface on the remote site: Remote Site In Tampa: interface Serial0/0.2 point-to-point description Connect to Seattle bandwidth 256 ip address 192.168.228.253 255.255.255.0 no ip mroute-cache no cdp enable frame-relay interface-dlci 41 interface Tunnel1 description Tampa Tunnel to Seattle ip address 10.0.48.6 255.255.255.252 tunnel source Serial0/1 tunnel destination 64.200.134.18 ! The Tamp Site connects with Seattle Hub with these configs: interface Tunnel1 description Seattle Tunnel to Tampa ip address 10.0.48.5 255.255.255.252 tunnel source Serial2/0 tunnel destination 64.200.118.162 end interface Serial0/0.8 point-to-point description Seattle to Tampa bandwidth 256 ip address 192.168.228.254 255.255.255.0 no ip route-cache no ip mroute-cache no cdp enable frame-relay interface-dlci 39 I believe the best way to influence EIGRP would be to add a bandwidth statement to the tunnel or the interface to which the tunnel is applied to. One other question. T1 1.544mbps would be 193000 in the
RE: Possible Attack???? [7:59813]
Not sure if this will help, but you could enable ip accounting on the uplink interface to the switch. Watch for the address that is pouring out the most requests. Then use sho ip arp x.x.x.x to find the mac address. From there you could go to the switch and do a show cam dynamic or if IOS version, show mac-address-table with the mac address found with the most requests. This would hunt down the culprit machine without a person walking to each individual machine. Cheers, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sam Sneed Sent: December 27, 2002 1:04 PM To: [EMAIL PROTECTED] Subject: Re: Possible Attack [7:59813] Do you run SNMP and mrtg on theswitch? You can than graphically see which host has been pouring out all the traffic with ease. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks Priscilla. I figure it was some sort of spoofing which is what I ended up reporting last night. The traffic on the edge router is under controll. I was able to narrow down which VLAN on the switch it was coming in on. There is someone going onsite this morning and we are going to work on narrawing down the actual culprit PC. It should not be difficult to spot by looking at the LED on the switch (I hope). The attack seems to come in spurts but when it comes, I see anywhere from about 3000-15000 packets per second that last about 10 seconds. The weird thing is that when I remove the access-list that is currently filtering the 127 address, the attack last much longer. It is almost like it knows that the access-list has been removed. Since the traffic that I am filtering is not related to ICMP then I know that I am not sending out any Unreachable message back to the source. Thanks, Mario Puras SoluNet Technical Support Mailto: [EMAIL PROTECTED] Direct: (321) 309-1410 888.449.5766 (USA) / 888.SOLUNET (Canada) -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 26, 2002 10:57 PM To: [EMAIL PROTECTED] Subject: RE: Possible Attack [7:59813] Sending with a source address of 127.x.x.x is often used in IP spoofing. You should try to find out which station is doing this. It could be compromised. Of course, it will be hard to find, but if the packets haven't crossed a router, the MAC address will have a clue. The first six bytes of the MAC address are a vendor code. Of course, if all your equipment is from one vendor, that doesn't help much! The destination address of 108.122.0.0 is strange also. I looked it up in the ARIN Whois database and it says it's part of a range reserved by IANA. I'm not sure why it's reserved, but it seems like a suspicious address to use. So, you're doing the right thing to filter out these packets. But you said the problem remained. The other thing I noticed that's strange is probably unrelated to a possible attack. Why are 75% of your packets in the 1-32 byte range? Those are illegal runt frames on Ethernet. Could you have a duplex mismatch problem?? You should check the output of show int Fa0/1. Good luck! Priscilla [EMAIL PROTECTED] wrote: Hi all. I was wondering if someone can share some light on a wierd issues that I am seeing. This perhaps maybe an attack from an internal or infected host within the network or simply a malfunctioning NIC. Basically, I have a Cisco 3662 with 2 Satellite links. I noticed that the main WAN link (1.544mb) was bursting outbound to sometimes 20mb. I noticed a lot of output drops and the links started to flap and as a result BGP sessions starting going down causing huge problems. Once I was able to get the BGP under control, I enabled Netflow on the inbound interface (FE0/1) to see what type of traffic could be causing this issue and this is when I noticed the below: Here is the output of the Netflow: cisco_3600_one#show ip cache flow IP packet size distribution (4096357 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 978 active, 3118 inactive, 121929 added 2503952 ager polls, 0 flow alloc failures last clearing of statistics never Protocol TotalFlows Packets Bytes Packets Active(Sec) Idle(Sec) Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 41 0.05040 0.0 31.3 14.4 TCP-FTP 87 0.0 765 0.0 17.0 12.1 TCP-FTPD27 0.0 135 211 0.0 83.0 3.5 TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7 TCP-SMTP