Re: Difference between Cisco VPN and PIX Firewall [7:75235]
Hello all Can I know what is the Cisco PIX and that of a Cisco VPN 3000 in terms of performance? As I am planning to implement VPN with either VPN Concentrator or PIX,however I was told that if you implement only VPN Concentrator instead of PIX ,then you may get VPN connectivity but you will not be able to implement the filtering functionalities which are required .In case of PIX I may get both VPN as well as as filtering of unwanted traffic thereby changes of hacking sessions are less. Is this true. I am confised .Kindly help me. Also which one should consider to be the best scenario for implementation ? I am giving the 3 scenario below.If there is any scenario better than this pls get me know ewith the pros and cons of that one.Also equest you to know me the pros and cons of this scenarios also. aThnaks in advance. Scenario I Scenario II Scenario InternetInternet Internet ||| VPN Concentrator Firewall Firewall--VPN || | Concntrtr || | | LAN VPNLAN _| Concentrator Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75235t=75235 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Difference between Cisco VPN and PIX Firewall [7:75235]
Stnadard answer: it depends. Followed immediately by the standard question: what problem are you trying to solve? The VPN Concentrator does not firewall or filter; it is a specialized tunnel termination device. You may (emphasis on may) need to use it when you are terminating more than about 20 tunnels. That depends on how active the tunnels are and what else your firewall is doing -- how much other work must it do filtering how much other traffic? The Concentrator does offer AES and DH Group 7 (the latter is useful if the other end of the tunnel is a client which can support ECC, but not many can). You need a firewall between you and the Internet. Have a look at the SMR SAFE Blueprint, here: http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8a0.shtml If you do decide to use a Concentrator, people may differ, but I recommend terminating your tunnels outside the firewall. If you don't, the firewall must either work at the traffic to inspect it properly (which in fact makes it work even harder tore-encrypt, etc. to send it to the Concentrator) or you poke a big hole in the firewall by accepting traffic that looks like it ought to be a part of the tunnel. If your LAN receives public traffic (is there a public-facing server, any kind of mini-DMZ?), then you will want a switch to send tunnel traffic tothe Concentrator and all other traffic to the firewall. Looks sort of like this: Concentrator / \ Internet---switch/\firewall---LAN HTH Annlee Mr piyush shah wrote: Hello all Can I know what is the Cisco PIX and that of a Cisco VPN 3000 in terms of performance? As I am planning to implement VPN with either VPN Concentrator or PIX,however I was told that if you implement only VPN Concentrator instead of PIX ,then you may get VPN connectivity but you will not be able to implement the filtering functionalities which are required .In case of PIX I may get both VPN as well as as filtering of unwanted traffic thereby changes of hacking sessions are less. Is this true. I am confised .Kindly help me. Also which one should consider to be the best scenario for implementation ? I am giving the 3 scenario below.If there is any scenario better than this pls get me know ewith the pros and cons of that one.Also equest you to know me the pros and cons of this scenarios also. aThnaks in advance. Scenario I Scenario II Scenario InternetInternet Internet ||| VPN Concentrator Firewall Firewall--VPN || | Concntrtr || | | LAN VPNLAN _| Concentrator Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75241t=75235 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Difference between Cisco VPN and PIX Firewall [7:75235]
Scenario III is probably the most recommended. It is incorrect to say that the VPN Concentrator does not have filtering capabilities. It generally only allows traffic in its public interface necessary for VPN connections, so it is not any more inherently insecure as a PIX. It does not have all of the capabilities of the PIX however, so if you need a true firewall I'd go with a firewall (not necessarily a PIX, I personally think they suck, go with a Check Point). Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Mr piyush shah [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: Re: Difference between Cisco VPN and PIX Firewall [7:75235] Hello all Can I know what is the Cisco PIX and that of a Cisco VPN 3000 in terms of performance? As I am planning to implement VPN with either VPN Concentrator or PIX,however I was told that if you implement only VPN Concentrator instead of PIX ,then you may get VPN connectivity but you will not be able to implement the filtering functionalities which are required .In case of PIX I may get both VPN as well as as filtering of unwanted traffic thereby changes of hacking sessions are less. Is this true. I am confised .Kindly help me. Also which one should consider to be the best scenario for implementation ? I am giving the 3 scenario below.If there is any scenario better than this pls get me know ewith the pros and cons of that one.Also equest you to know me the pros and cons of this scenarios also. aThnaks in advance. Scenario I Scenario II Scenario InternetInternet Internet ||| VPN Concentrator Firewall Firewall--VPN || | Concntrtr || | | LAN VPNLAN _| Concentrator Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75244t=75235 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: RE: Slow Browsing via 500 Pix firewall [7:74583]
this may be silly but did you do a sho debug to see if any debugs were running? I had accidentally left a debug crypto ipsec running after trouble shooting a vpn. that drastically slowed down everything. -Original Message- From: Mark To: [EMAIL PROTECTED] Sent: 9/3/2003 8:46 PM Subject: Re: RE: Slow Browsing via 500 Pix firewall [7:74583] Is the problem related to a slow initial connection to a Web Server? If so then it could be an IDENT protocol problem (TCP port 113 connection coming back to you from the server). Try putting service resetoutside on the PIX and see if the problem still persists. Mark CCIE RS, Security Lab Technician GigaVelocity.com - Original Message - From: Jurkouich, Brett, CNTR, DCAA Reply-To: Jurkouich, Brett, CNTR, DCAA To: [EMAIL PROTECTED] Subject: RE: Slow Browsing via 500 Pix firewall [7:74583] Date: Tue, 2 Sep 2003 18:20:06 GMT Try turning off the port 80 inspecting with the no fixup protocol http 80 command -Original Message- From: Faisal [mailto:[EMAIL PROTECTED] Sent: Monday, September 01, 2003 1:38 AM To: [EMAIL PROTECTED] Subject: Slow Browsing via 500 Pix firewall [7:74583] Hi All, I am having problem of slow or interminnent browsing through pix firewall. If I bypass the traffic speeds are fine. But if all that traffic is going via firewall then it becomes extremely slow. Please anybody can help me how to sort this out. Regards Faisal **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74784t=74583 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Slow Browsing via 500 Pix firewall [7:74583]
Hi there Faisal, Good afternoon. I hope this mail finds you well. Have you checked the interface speed/duplex and the interface counters? The show interface command should give you the output. The speedduplex of the outside interface of the PIX should match the speedduplex of the router's ethernet interface(?). The speedduplex of the inside interface of the PIX should match the speedduplex of the access-switch's ethernet interface(?) that it is connected to. Hope the info helps. This will be all from me for now. Do have a nice day. Regards, keng loon -Original Message- From: Faisal [mailto:[EMAIL PROTECTED] Sent: Monday, 1 September 2003 3:38 PM To: [EMAIL PROTECTED] Subject:Slow Browsing via 500 Pix firewall [7:74583] Hi All, I am having problem of slow or interminnent browsing through pix firewall. If I bypass the traffic speeds are fine. But if all that traffic is going via firewall then it becomes extremely slow. Please anybody can help me how to sort this out. Regards Faisal **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html -- This e-mail was checked by the e-Sweeper Service. For more information visit our website, Baltimore Technologies e-Sweeper : http:// www.mimesweeper.baltimore.com/products/esweeper/ -- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74703t=74583 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Slow Browsing via 500 Pix firewall [7:74583]
Hi there Faisal, Good afternoon. I hope this mail finds you well. Have you checked the interface speed/duplex and the interface counters? The show interface command should give you the output. The speedduplex of the outside interface of the PIX should match the speedduplex of the router's ethernet interface(?). The speedduplex of the inside interface of the PIX should match the speedduplex of the access-switch's ethernet interface(?) that it is connected to. Hope the info helps. This will be all from me for now. Do have a nice day. Regards, keng loon -Original Message- From: Faisal [mailto:[EMAIL PROTECTED] Sent: Monday, 1 September 2003 3:38 PM To: [EMAIL PROTECTED] Subject:Slow Browsing via 500 Pix firewall [7:74583] Hi All, I am having problem of slow or interminnent browsing through pix firewall. If I bypass the traffic speeds are fine. But if all that traffic is going via firewall then it becomes extremely slow. Please anybody can help me how to sort this out. Regards Faisal **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html -- This e-mail was checked by the e-Sweeper Service. For more information visit our website, Baltimore Technologies e-Sweeper : http:// www.mimesweeper.baltimore.com/products/esweeper/ -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74757t=74583 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: RE: Slow Browsing via 500 Pix firewall [7:74583]
Is the problem related to a slow initial connection to a Web Server? If so then it could be an IDENT protocol problem (TCP port 113 connection coming back to you from the server). Try putting service resetoutside on the PIX and see if the problem still persists. Mark CCIE RS, Security Lab Technician GigaVelocity.com - Original Message - From: Jurkouich, Brett, CNTR, DCAA Reply-To: Jurkouich, Brett, CNTR, DCAA To: [EMAIL PROTECTED] Subject: RE: Slow Browsing via 500 Pix firewall [7:74583] Date: Tue, 2 Sep 2003 18:20:06 GMT Try turning off the port 80 inspecting with the no fixup protocol http 80 command -Original Message- From: Faisal [mailto:[EMAIL PROTECTED] Sent: Monday, September 01, 2003 1:38 AM To: [EMAIL PROTECTED] Subject: Slow Browsing via 500 Pix firewall [7:74583] Hi All, I am having problem of slow or interminnent browsing through pix firewall. If I bypass the traffic speeds are fine. But if all that traffic is going via firewall then it becomes extremely slow. Please anybody can help me how to sort this out. Regards Faisal **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74763t=74583 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Slow Browsing via 500 Pix firewall [7:74583]
Try turning off the port 80 inspecting with the no fixup protocol http 80 command -Original Message- From: Faisal [mailto:[EMAIL PROTECTED] Sent: Monday, September 01, 2003 1:38 AM To: [EMAIL PROTECTED] Subject: Slow Browsing via 500 Pix firewall [7:74583] Hi All, I am having problem of slow or interminnent browsing through pix firewall. If I bypass the traffic speeds are fine. But if all that traffic is going via firewall then it becomes extremely slow. Please anybody can help me how to sort this out. Regards Faisal **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74676t=74583 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Slow Browsing via 500 Pix firewall [7:74583]
Hi, I have had similar problems in the past when one person was downloading several Linux ISO's from there PC all at once !!! They had come in early to do so. After doing a clear xlate the problem was resolved and everyone could browse at the normal speed. The person started their ISO donwloads again but at a slower speed and one at a time. If you know of a user similiar to this you can clear only their xlate and leave everyone elses alone. Hope this helps. Regards Paul ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jurkouich, Brett, CNTR, DCAA Sent: 02 September 2003 19:20 To: [EMAIL PROTECTED] Subject: RE: Slow Browsing via 500 Pix firewall [7:74583] Try turning off the port 80 inspecting with the no fixup protocol http 80 command -Original Message- From: Faisal [mailto:[EMAIL PROTECTED] Sent: Monday, September 01, 2003 1:38 AM To: [EMAIL PROTECTED] Subject: Slow Browsing via 500 Pix firewall [7:74583] Hi All, I am having problem of slow or interminnent browsing through pix firewall. If I bypass the traffic speeds are fine. But if all that traffic is going via firewall then it becomes extremely slow. Please anybody can help me how to sort this out. Regards Faisal **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74688t=74583 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: RE: Slow Browsing via 500 Pix firewall [7:74583]
Is the problem related to a slow initial connection to a Web Server? If so then it could be an IDENT protocol problem (TCP port 113 connection coming back to you from the server). Try putting service resetoutside on the PIX and see if the problem still persists. Mark CCIE RS, Security Lab Technician GigaVelocity.com - Original Message - From: Jurkouich, Brett, CNTR, DCAA Reply-To: Jurkouich, Brett, CNTR, DCAA To: [EMAIL PROTECTED] Subject: RE: Slow Browsing via 500 Pix firewall [7:74583] Date: Tue, 2 Sep 2003 18:20:06 GMT Try turning off the port 80 inspecting with the no fixup protocol http 80 command -Original Message- From: Faisal [mailto:[EMAIL PROTECTED] Sent: Monday, September 01, 2003 1:38 AM To: [EMAIL PROTECTED] Subject: Slow Browsing via 500 Pix firewall [7:74583] Hi All, I am having problem of slow or interminnent browsing through pix firewall. If I bypass the traffic speeds are fine. But if all that traffic is going via firewall then it becomes extremely slow. Please anybody can help me how to sort this out. Regards Faisal **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74694t=74583 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Slow Browsing via 500 Pix firewall [7:74583]
Hi All, I am having problem of slow or interminnent browsing through pix firewall. If I bypass the traffic speeds are fine. But if all that traffic is going via firewall then it becomes extremely slow. Please anybody can help me how to sort this out. Regards Faisal Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74583t=74583 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: how does firewall switch port block Blas [7:74092]
Richard Campbell wrote: Thanks so much.. I think most of the company will get the worm bcoz of the laptop mobile user, they connect to net from their home and infected by the worm as there is no personal firewall on the laptop and then they connect to office network and infect others. How about blocking switch port?? Can switch port block the worm as what I heard from my friends ?? A switch (using traditional language) is a data-link layer device. It wouldn't know that the worm is spreading using TCP port 135. It doesn't look beyond the MAC addresses in frames. A layer 3 switch (marketing term for a router) could block it. So could a firewall. All laptops should run personal firewalls. I think all computers should run personal firewalls actually. Then they would be protected from the problem of the mobile user bringing in an infected laptop. I realize this is difficult to implement and enforce though. Priscilla From: Priscilla Oppenheimer Reply-To: Priscilla Oppenheimer To: [EMAIL PROTECTED] Subject: RE: how does firewall switch port block Blaster [7:74092] Date: Mon, 18 Aug 2003 19:04:49 GMT Richard Campbell wrote: Hi.. My friends told me other than the microsoft patches can prevent Blaster virus , a firewall and blocking switch ports can block the virus too. Is there any configuration need to be added in my PIX and Cisco switch ports in order to block them? If yes, is there any example?? But I don't understand the concept, can you explain to me the concept? How can a firewall and switch port block Virus??? Blaster isn't really a virus. It's a worm. Experts have argued over the terms for years and I hope I have this right, but a virus requires host software to help spread it, for exmaple e-mail software. Computers get viruses because users open e-mail attachments, for example. The virus spreads by using features of its host software, for example, address books. It sends the evil attachemnt to every address in the program's address book, for example. Worms, on the other, can run standalone. A worm consumes computer resources, but it doesn't need a host application to do this or to spread. It can propagate a complete working version of itself on to other machines by connecting to other machines over a network and exploiting operating system bugs or anomolies. So, in the case of Blaster, it spreads itself by opening a TCP connection to port 135. Then it takes advantage of the bad Microsoft RPC software... (Variants use other ports too.) To make a long story short, people with firewalls were protected because connection establishment requests to TCP port 135 failed. Unbelieveably, huge (and I mean huge) numbers of windows machines were not protected with a global or personal firewall! Shame on us. Sounds like you're protected. A properly configured PIX, which you seem to have, should protect you. Priscilla Oppenheimer **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74256t=74092 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: how does firewall switch port block Blaster [7:74092]
Thanks so much.. I think most of the company will get the worm bcoz of the laptop mobile user, they connect to net from their home and infected by the worm as there is no personal firewall on the laptop and then they connect to office network and infect others. How about blocking switch port?? Can switch port block the worm as what I heard from my friends ?? From: Priscilla Oppenheimer Reply-To: Priscilla Oppenheimer To: [EMAIL PROTECTED] Subject: RE: how does firewall switch port block Blaster [7:74092] Date: Mon, 18 Aug 2003 19:04:49 GMT Richard Campbell wrote: Hi.. My friends told me other than the microsoft patches can prevent Blaster virus , a firewall and blocking switch ports can block the virus too. Is there any configuration need to be added in my PIX and Cisco switch ports in order to block them? If yes, is there any example?? But I don't understand the concept, can you explain to me the concept? How can a firewall and switch port block Virus??? Blaster isn't really a virus. It's a worm. Experts have argued over the terms for years and I hope I have this right, but a virus requires host software to help spread it, for exmaple e-mail software. Computers get viruses because users open e-mail attachments, for example. The virus spreads by using features of its host software, for example, address books. It sends the evil attachemnt to every address in the program's address book, for example. Worms, on the other, can run standalone. A worm consumes computer resources, but it doesn't need a host application to do this or to spread. It can propagate a complete working version of itself on to other machines by connecting to other machines over a network and exploiting operating system bugs or anomolies. So, in the case of Blaster, it spreads itself by opening a TCP connection to port 135. Then it takes advantage of the bad Microsoft RPC software... (Variants use other ports too.) To make a long story short, people with firewalls were protected because connection establishment requests to TCP port 135 failed. Unbelieveably, huge (and I mean huge) numbers of windows machines were not protected with a global or personal firewall! Shame on us. Sounds like you're protected. A properly configured PIX, which you seem to have, should protect you. Priscilla Oppenheimer **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74248t=74092 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
how does firewall switch port block Blaster virus? [7:74092]
Hi.. My friends told me other than the microsoft patches can prevent Blaster virus , a firewall and blocking switch ports can block the virus too. Is there any configuration need to be added in my PIX and Cisco switch ports in order to block them? If yes, is there any example?? But I don't understand the concept, can you explain to me the concept? How can a firewall and switch port block Virus??? For example, my PIX disallow every incoming traffic except the ping reply, doesn't it mean it block the virus too?? _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74092t=74092 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: how does firewall switch port block Blaster virus? [7:74102]
The Blaster worm exploits a vulnerability in the DCOM RPC component in Windows. RPC is used for accepting requests from remote computers. RPC/DCOM listens on TCP 135 and other ports. Successfully compromising an unpatched Windows box requires that TCP 135 or other ports be accessible. I've seen RPC ports other than 135 being probed, eg. TCP/UDP 593. In a default PIX configuration, any unrequested incoming traffic is denied by default. If you've mapped a global address to an unpatched/unprotected box and have allowed TCP 135 into it then that box is vulnerable from the Internet. On the LAN any unpatched Windows box is vulnerable if a mobile user plugs an infected machine into the network. To mitigate chances of infection you could use updated AV software or the ICF if you're using XP or if you're using Windows 2000 you can use TCP/IP filtering. See http://support.microsoft.com/default.aspx?kbid=826955 Vijay Ramcharan -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 3:47 AM To: [EMAIL PROTECTED] Subject: how does firewall switch port block Blaster virus? [7:74092] Hi.. My friends told me other than the microsoft patches can prevent Blaster virus , a firewall and blocking switch ports can block the virus too. Is there any configuration need to be added in my PIX and Cisco switch ports in order to block them? If yes, is there any example?? But I don't understand the concept, can you explain to me the concept? How can a firewall and switch port block Virus??? For example, my PIX disallow every incoming traffic except the ping reply, doesn't it mean it block the virus too?? _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74102t=74102 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: how does firewall switch port block Blaster virus? [7:74101]
Richard Campbell wrote: Hi.. My friends told me other than the microsoft patches can prevent Blaster virus , a firewall and blocking switch ports can block the virus too. Is there any configuration need to be added in my PIX and Cisco switch ports in order to block them? If yes, is there any example?? But I don't understand the concept, can you explain to me the concept? How can a firewall and switch port block Virus??? For example, my PIX disallow every incoming traffic except the ping reply, doesn't it mean it block the virus too?? _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html The MSBlaster Worm propagates without email -- it scans for a host with open ports, enters through those ports, executes its package which takes advantage of RPC and/or DCOM vulnerabilities, then propagates. That's a very short version, more info is available at www.cert.org, www.sans.org, isc.sans.org. TCP Ports used are 135, 137-139, 445, and (I believe, no time to look it up now) 1026. TFTP downloads (which is part of the worm's internal execution) occur on (UDP), IIRC. Try the above references for better info. Annlee Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74101t=74101 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: how does firewall switch port block Blaster virus? [7:74103]
Cisco PIX and IOS software (with the FW/IDS feature set) includes some virus/attack blocking capabilities. It is more limited than their stand-alone IDS products. For more detail, I think it would be helpful to know exactly what your friend said. What were they trying to suggest? Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 3:47 AM To: [EMAIL PROTECTED] Subject: how does firewall switch port block Blaster virus? [7:74092] Hi.. My friends told me other than the microsoft patches can prevent Blaster virus , a firewall and blocking switch ports can block the virus too. Is there any configuration need to be added in my PIX and Cisco switch ports in order to block them? If yes, is there any example?? But I don't understand the concept, can you explain to me the concept? How can a firewall and switch port block Virus??? For example, my PIX disallow every incoming traffic except the ping reply, doesn't it mean it block the virus too?? _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74103t=74103 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: how does firewall switch port block Blaster [7:74092]
Richard Campbell wrote: Hi.. My friends told me other than the microsoft patches can prevent Blaster virus , a firewall and blocking switch ports can block the virus too. Is there any configuration need to be added in my PIX and Cisco switch ports in order to block them? If yes, is there any example?? But I don't understand the concept, can you explain to me the concept? How can a firewall and switch port block Virus??? Blaster isn't really a virus. It's a worm. Experts have argued over the terms for years and I hope I have this right, but a virus requires host software to help spread it, for exmaple e-mail software. Computers get viruses because users open e-mail attachments, for example. The virus spreads by using features of its host software, for example, address books. It sends the evil attachemnt to every address in the program's address book, for example. Worms, on the other, can run standalone. A worm consumes computer resources, but it doesn't need a host application to do this or to spread. It can propagate a complete working version of itself on to other machines by connecting to other machines over a network and exploiting operating system bugs or anomolies. So, in the case of Blaster, it spreads itself by opening a TCP connection to port 135. Then it takes advantage of the bad Microsoft RPC software... (Variants use other ports too.) To make a long story short, people with firewalls were protected because connection establishment requests to TCP port 135 failed. Unbelieveably, huge (and I mean huge) numbers of windows machines were not protected with a global or personal firewall! Shame on us. Sounds like you're protected. A properly configured PIX, which you seem to have, should protect you. Priscilla Oppenheimer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74116t=74092 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Upgrading PDM on a PIX firewall [7:70261]
I was trying to find out what the proper procedure for upgrading the PDM on a PIX box is. The documentation on Cisco's site cover installation (including on an existing box) but it doesn't seem to address specifically the upgrade. Can I simply send the binary via TFTP? The Cisco documentation doesn't seem to specify whether it will affect the firewall config or not. I wouldn't assume that it would but we all know what we get when we assume Bruce Fyfe, Network Engineer LAKESIDE INDUSTRIES (425) 313-2600 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70261t=70261 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Upgrading PDM on a PIX firewall [7:70261]
U?ytkownik Bruce Fyfe napisa3 w wiadomo6ci news:[EMAIL PROTECTED] I was trying to find out what the proper procedure for upgrading the PDM on a PIX box is. The documentation on Cisco's site cover installation (including on an existing box) but it doesn't seem to address specifically the upgrade. Can I simply send the binary via TFTP? The Cisco documentation doesn't seem to specify whether it will affect the firewall config or not. I wouldn't assume that it would but we all know what we get when we assume Od: Mariusz T. Temat: Re: Upgrading PDM on a PIX firewall [7:70261] Data: 6 czerwca 2003 16:34 U?ytkownik Bruce Fyfe napisa3 w wiadomo6ci news:[EMAIL PROTECTED] I was trying to find out what the proper procedure for upgrading the PDM on a PIX box is. The documentation on Cisco's site cover installation (including on an existing box) but it doesn't seem to address specifically the upgrade. Can I simply send the binary via TFTP? The Cisco documentation doesn't seem to specify whether it will affect the firewall config or not. I wouldn't assume that it would but we all know what we get when we assume You type copy ? and what you get is: copy tftp[:[[//location][/pathname]]] flash[:[image | pdm]] so you can assume, that copy tftp: flash:pdm will do the job... and it won't affect the pix configuration, why should it? It's just a configuration editing software, just like configmaker, only located on the pix flash for your (in)convenience HTH Mariusz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70268t=70261 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Upgrading PDM on a PIX firewall [7:70261]
The command is: copy tftp flash:pdm Jay Dunn IPI*GrammTech, Ltd. http://www.ipi-gt.com Nunquam Facilis Est I was trying to find out what the proper procedure for upgrading the PDM on a PIX box is. The documentation on Cisco's site cover installation (including on an existing box) but it doesn't seem to address specifically the upgrade. Can I simply send the binary via TFTP? The Cisco documentation doesn't seem to specify whether it will affect the firewall config or not. I wouldn't assume that it would but we all know what we get when we assume Bruce Fyfe, Network Engineer LAKESIDE INDUSTRIES (425) 313-2600 [EMAIL PROTECTED] http://www.ktc.net/ Don't Forget To UPDATE your ANTI-VIRUS Software Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70273t=70261 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall 6.2.2 Inside network can not reac [7:69779]
Charles/Mark, No infinate wisdom i'm afraid - just my £0.2. Is it because the statements below effectively do nothing due to the fact the statement 2 undoes what statement one has just done ? [or have i missed the point.] 1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 2)alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 I would have thought that you would only need the statement one - why do you need to reverse what you did in statement one fro the hosts on the inside net ? regards Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69990t=69779 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall 6.2.2 Inside network can not reach [7:69779]
Richard- As I had said in my last post, in analyzing his syntax, it appears he's trying to do Destination NAT and DNS Doctoring at the same time, for which it obviously doesn't work. I couldn't tell you if line 2 is auto-reversing what line 1 does by the PIX's operating code, but you are correct that only one line is needed. From what I gathered of the documentation, he also needed to do a second Alias statement against the DMZ interface, or he needed to do a Static statement utilizing the DNS keyword; example: static (dmz,outside) pub.lic.ip.addr dmz.host.ip.addr dns netmask 255.255.255.255 0 0 I don't have a 3-interface pix to test these possible solutions on, so I can't say for certain that I'm correct. :( -Mark -Original Message- From: Richard Botham [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:12 AM To: [EMAIL PROTECTED] Subject: RE: PIX Firewall 6.2.2 Inside network can not reac [7:69779] Charles/Mark, No infinate wisdom i'm afraid - just my #0.2. Is it because the statements below effectively do nothing due to the fact the statement 2 undoes what statement one has just done ? [or have i missed the point.] 1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 2)alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 I would have thought that you would only need the statement one - why do you need to reverse what you did in statement one fro the hosts on the inside net ? regards Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70004t=69779 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Firewall --- DMZ to Inside Access [7:69877]
Fellows - I have a senario here, I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ. Machines on the Inside Interface can access Server on DMZ Zone, no problem, I have to facilitate limited access from DMZ zone Servers to Host on Inside Interface. Let take an example, I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from this Server to a host on Inside zone whoes IP address is 192.168.20.10 I have a raw configuration in my mind since i dont a PIX with 3 Interfaces in my LAB i can not test it. I know i have put an Access List / NAT to do this. Any config welcome. thanks -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69877t=69877 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall --- DMZ to Inside Access [7:69877]
Define static(s) to translate inside host address(es) to DMZ address(es) like so: static (inside,DMZ) 192.168.10.222 10.2.5.222 netmask 255.255.255.255 0 0 static (inside,DMZ) 192.168.10.230 10.2.5.230 netmask 255.255.255.255 0 0 Configure an access list to permit traffic to the tranlated inside address(es) like so: access-list acl_dmz permit tcp host 192.168.10.15 host 192.168.10.230 eq 143 access-list acl_dmz permit tcp host 192.168.10.15 host 192.168.10.230 eq pop3 Apply your access-list: access-group acl_dmz in interface DMZ Vijay Ramcharan -Original Message- From: Curious [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 11:26 AM To: [EMAIL PROTECTED] Subject: PIX Firewall --- DMZ to Inside Access [7:69877] Fellows - I have a senario here, I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ. Machines on the Inside Interface can access Server on DMZ Zone, no problem, I have to facilitate limited access from DMZ zone Servers to Host on Inside Interface. Let take an example, I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from this Server to a host on Inside zone whoes IP address is 192.168.20.10 I have a raw configuration in my mind since i dont a PIX with 3 Interfaces in my LAB i can not test it. I know i have put an Access List / NAT to do this. Any config welcome. thanks -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69885t=69877 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall --- DMZ to Inside Access [7:69877]
Try this: pix(config)# access-list permit tcp host 10.1.1.X host 192.168.20.10 eq 7000 pix(config)# access-group in interface where you fill the correct value for X in the source IP addess that's needing to access the inside, where is whatever you want to name your access list and is the name you gave the DMZ interface interface in the nameif command. Note: Currently all traffic from the DMZ to the outside is allowed. The moment you apply that access list to the DMZ interface all outbound traffic (traffic INTO the DMZ interface and headed to parts anywhere to the outside) will now be blocked. There is an implied deny any any at the end of the access list. You will have to then open up ports to the outside that boxes in your DMZ will need to use. If the same box needs WWW access to the outside world you will need a statment like this: pix(config)# access-list permit tcp host 10.1.1.X any eq 80 The any is the destination IP address. If it only goes to a specific WWW site you can add host A.B.C.D instead of any. With the statement as written above you've allowed the pix to access any web server anywhere, assuming it's running on port 80. The same can be done with FTP, SMTP, DNS (except if would be permit udp instead of permit tcp) or any other traffic originating from the DMZ. Any traffic already allowed via access lists from the outside to the DMZ will not be affected, only traffic originating in the DMZ. The official line from Cisco is that it's not a good idea to mix static/conduits and access-list/access-groups on the same box. If you're allowing traffic from the outside into your DMZ via static/conduit pairs you may have intermittent troubles using both. I've not experienced it personally. I just know what I've read in all of Cisco's doc's about it. You may need to consider switching to access-list/access-group instead of conduits. The static statements should remian the same. If you were going from the inside to the DMZ you would need a static statement defining the inside network to the DMZ but I don't believe you do from a less secure interface to a more secure interface. The two statements above should be all you need to put in your config. Hope this helps (and it wasn't 10,000 times more info than you wanted). Mark Smith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, May 30, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: PIX Firewall --- DMZ to Inside Access [7:69877] Fellows - I have a senario here, I have a PIX firewall with 3 Interfaces , Inside, Outside and DMZ. Machines on the Inside Interface can access Server on DMZ Zone, no problem, I have to facilitate limited access from DMZ zone Servers to Host on Inside Interface. Let take an example, I have a Server on DMZ zone 10.1.1.1 and i need to alow TCP Port 7000 from this Server to a host on Inside zone whoes IP address is 192.168.20.10 I have a raw configuration in my mind since i dont a PIX with 3 Interfaces in my LAB i can not test it. I know i have put an Access List / NAT to do this. Any config welcome. thanks -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69892t=69877 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69756]
Hi, all, I have a problem that is making me scream and shout, gonna knock myself out. It has to do with my PIX firewall configuration. The long and short of my problem is that the inside network can only reach inside hosts and outside networks: it can not reach any host on on the DMZ, depsite the fact that there are numerous statics and alias configured to permit it to do so. I have a 515 6.2 with the following networks configured: Inside 10.1.1.0/24 Outside 10.2.2.0/24 DMZ 10.3.3.0/24 First, we have names for ServerA located on the DMZ network: name 10.3.3.1 SERVERA_DMZ name 10.2.2.1 SERVERA_OUTSIDE ServerA actually is addressed with 10.3.3.1 because it is on the DMZ; the 10.2.2.1 is its outside address (as well as being its registed DNS name). If an inside networker DNS queries for SERVERA, the following commands are supposed to swap the outside address for the DMZ address. IN other words, intercept the DNS repy and change it so that the inside network will then establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside nat'ed address) alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 Initial DNS tests shows that this is not happening: the inside network DNS requeries are getting outside addresses. Compounding the problem is translation process itself. The below states that when Inside networks go to the DMZ network, PAT their address to 10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do not affect the tranlation in this particular case). nat (inside) 0 access-list 100 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 global (DMZ) 1 10.3.3.9 netmask 255.255.255.0 So, in a happy world, the inside network should DNS query for SERVERA, the PIX should intercept replies and change to a DMZ address (alias), and NAT should then translate as appropriate. In the words of Larry King, it ain't happening, gang...and I don't know why. I beseech, oh, Group of Infinite Wisdom, for you assistance. As a closer, my problems started when I upgraded to 6.3.1...what a mistake. I have since downgraded it back to 6.2, and have checked and rechecked the config...there are no commands missing. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69756t=69756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69779]
Charles- I could be wrong, but my interpretation of the doc's covering the Alias command says that you can't have your cake and eat it too. :) What I mean is, I don't believe you can DNS-Doctor and Destination-NAT at the same time. Like I said, I could be wrong. From what I understand, you need to do your translation with a static command: Static (inside,dmz) 10.3.3.1 10.1.1.x netmask 255.255.255.255 0 0 ..and then set up your DNS-Doctor Alias. Alias (inside) 10.1.1.x 10.3.3.1 255.255.255.255 Note: Verify that the DNS server resolves your host/domain name to the global IP address of the web server by issuing an nslookup command. The result of the nslookup on the client PC should be the internal IP address of the server (10.1.1.x), because the DNS reply gets doctored as it passes through the PIX. Also note that, for DNS fixup to work properly, proxy-arp has to be disabled. If you are using the alias command for DNS fixup, disable proxy-arp with the following command after the alias command has been executed. sysopt noproxyarp internal_interface If you are also trying to maintain DNS integrity from the outside point of view, I believe the 'DNS' keyword is all that is needed in the following command (to allow the outside world to also reach the DMZ host). Static (dmz,outside) 10.3.3.1 10.2.2.1 dns netmask 255.255.255.255 Or, taking the concepts from the Alias Doc's, you could do this. Alias (outside) 10.2.2.1 10.3.3.1 255.255.255.255 ...but I think this might be the older way of doing it. Don't forget your ACL's so that DNS and whatever other services need to be accessed on the DMZ host (one ACL for the Inside, one for the Outside). HTH's -Mark -Original Message- From: Charles Riley [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2003 7:22 AM To: [EMAIL PROTECTED] Subject: PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69756] Hi, all, I have a problem that is making me scream and shout, gonna knock myself out. It has to do with my PIX firewall configuration. The long and short of my problem is that the inside network can only reach inside hosts and outside networks: it can not reach any host on on the DMZ, depsite the fact that there are numerous statics and alias configured to permit it to do so. I have a 515 6.2 with the following networks configured: Inside 10.1.1.0/24 Outside 10.2.2.0/24 DMZ 10.3.3.0/24 First, we have names for ServerA located on the DMZ network: name 10.3.3.1 SERVERA_DMZ name 10.2.2.1 SERVERA_OUTSIDE ServerA actually is addressed with 10.3.3.1 because it is on the DMZ; the 10.2.2.1 is its outside address (as well as being its registed DNS name). If an inside networker DNS queries for SERVERA, the following commands are supposed to swap the outside address for the DMZ address. IN other words, intercept the DNS repy and change it so that the inside network will then establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside nat'ed address) alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 Initial DNS tests shows that this is not happening: the inside network DNS requeries are getting outside addresses. Compounding the problem is translation process itself. The below states that when Inside networks go to the DMZ network, PAT their address to 10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do not affect the tranlation in this particular case). nat (inside) 0 access-list 100 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 global (DMZ) 1 10.3.3.9 netmask 255.255.255.0 So, in a happy world, the inside network should DNS query for SERVERA, the PIX should intercept replies and change to a DMZ address (alias), and NAT should then translate as appropriate. In the words of Larry King, it ain't happening, gang...and I don't know why. I beseech, oh, Group of Infinite Wisdom, for you assistance. As a closer, my problems started when I upgraded to 6.3.1...what a mistake. I have since downgraded it back to 6.2, and have checked and rechecked the config...there are no commands missing. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69779t=69779 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Voice chat behind PIX firewall, How to?? [7:69656]
Hi all, I protected my system by using PIX 515 and all my system and Network behind that PIX, I am trying to configure my PIX to allow the voice chat to allow my internal users to talk with external people using MSN and Yahoo messenger Voice chat service... Actually I failed to get it up Can any one provide me help to get it work Thanx in advance Regards,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69656t=69656 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN as Firewall zones [7:65938]
Whie I agree that by compriming the switch, the intruder can bypass the firewall, I dont feel that it is of siginificant concern to warrant the purchase of an addiitianal switch to seperate the two. The big drive here is that you must secure your switch at L2, and if you do so, I feel that is is perfectly adequate. In the last Cisco Packet maganize there was an article addressing exactly this issue. And listed some of the common exploits and how to circumvent then. Obvious ones are, by default all ports are left on autop (with regard to runks),.so a user could jack in, request to form a trunk port and then captures all the VLAN etc details, and in effect be able to vlan hop. Enabling port security and restricting the nunber of ACL's seen on one port ia another way to do it. Look at using 802.11x for MAC based port sauthentication, especially on server vlans! You can even go as far as private vlans and ACL's to stipulate which ports and MAC's are allowed to speak to each other .. very usefull when using your switch for a simple connection point (eg /30 between firewall and router or something). http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html and make your own mind up. GO and check out the article # Andrew Dorsett wrote: On Fri, 21 Mar 2003, Paulo Roque wrote: I usually separate firewall zone with different physical LAN in different switches. What do you think of separating firewall zone with VLANs in the same switch/chassis? Generally a very bad idea! I fully agree with physical seperation. Because if it's based on VLANs then they only have to compromise the switch to compromise the entire network. Also because there are new layer 2 techniques that can allow a packet to hop across VLANs. These are the only things that worry me about the FW module for the 6500 chassis. It's based on VLANs. So if I can hop VLANs somewhere then I can bypass the firewall. Andrew --- http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66064t=65938 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VLAN as Firewall zones [7:65938]
Hi. I usually separate firewall zone with different physical LAN in different switches. What do you think of separating firewall zone with VLANs in the same switch/chassis? Paulo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65938t=65938 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN as Firewall zones [7:65938]
On Fri, 21 Mar 2003, Paulo Roque wrote: I usually separate firewall zone with different physical LAN in different switches. What do you think of separating firewall zone with VLANs in the same switch/chassis? Generally a very bad idea! I fully agree with physical seperation. Because if it's based on VLANs then they only have to compromise the switch to compromise the entire network. Also because there are new layer 2 techniques that can allow a packet to hop across VLANs. These are the only things that worry me about the FW module for the 6500 chassis. It's based on VLANs. So if I can hop VLANs somewhere then I can bypass the firewall. Andrew --- http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65944t=65938 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN as Firewall zones [7:65938]
We deploy 2620/2621 in our microwave network with Catalyst 1912/1924 to 'fan out' via VLANs, but we just use the aux port on the 26xx to reverse telnet to the 19xx, rather than assigning an IP address to the switch. I have seen several situations where ARP requests leak across VLANs on 29xx/35xx series equipment, never really had the chance to observe enough on the other platforms (4xxx/5xxx/6xxx) to know if they're involved - the 19xx seem to be very stable and I've never detected anything like leaking information on them. The big benefit for us, besides cheaper port density, is that we 'twin' each port - an on site tech wanting to work on the thing plugged in to port 1 on the cat 1924 knows he can just hook his laptop to port 11 and he is on the same segment. Andrew Dorsett wrote: On Fri, 21 Mar 2003, Paulo Roque wrote: I usually separate firewall zone with different physical LAN in different switches. What do you think of separating firewall zone with VLANs in the same switch/chassis? Generally a very bad idea! I fully agree with physical seperation. Because if it's based on VLANs then they only have to compromise the switch to compromise the entire network. Also because there are new layer 2 techniques that can allow a packet to hop across VLANs. These are the only things that worry me about the FW module for the 6500 chassis. It's based on VLANs. So if I can hop VLANs somewhere then I can bypass the firewall. Andrew --- http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65952t=65938 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Open http: traffic on firewall... [7:65755]
OK...I got to the point of issuing this command (ip route 2.2.2.2 255.255.255.255 ethernet 0) at the configure prompt and got: Internet(config)#ip route 216.224.32.195 255.255.255.240 ethernet 0 % Incomplete command. Any recommendations??? Thanks Ken Robert Edmonds wrote in message news:[EMAIL PROTECTED] First, you need to define your inside and outside interfaces for NAT. Usually, the interface where your webserver is connected will be defined as inside and all others are outside. This would look something like this, assuming your web server is on interface ethernet 0: interface ethernet 0 ip address 2.2.2.1 255.255.255.240 ip nat inside interface serial 0 (or interface serial 0.1 for frame relay subinterface, depending on your setup) ip nat outside Next, you'll need to define a static translation between your web server and your outside IP addresses assigned by your ISP. I will use 10.0.0.1 to represent your web server address and 2.2.2.2 for your ISP assigned address. ip nat inside source static 10.0.0.1 2.2.2.2 Or, if you want to get fancy and do PAT: ip nat inside source static tcp 10.0.0.1 80 2.2.2.2 80 extendable Next, tell your router to send all traffic destined for 2.2.2.2 (the outside address of your web server) to the proper interface. ip route 2.2.2.2 255.255.255.255 ethernet 0 Your setup may demand something a little different, but in general I think this should get you started. Robert SMAN wrote in message news:[EMAIL PROTECTED] I have a cisco 2611 router/firewall that I need to open up for http: traffic. I need to configure NAT to point to the static IP on the web server. How do I do this? What are the specifics? Thanks Ken Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65840t=65755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Open http: traffic on firewall... [7:65755]
without seeing your router it may be that the ethernet port is e0/0 perchance. It may even be a fastethernet port. Check the physical make up of the router. Cheers, Steve Wilson -Original Message- From: SMAN To: [EMAIL PROTECTED] Sent: 20/03/2003 15:33 Subject: Re: Open http: traffic on firewall... [7:65755] OK...I got to the point of issuing this command (ip route 2.2.2.2 255.255.255.255 ethernet 0) at the configure prompt and got: Internet(config)#ip route 216.224.32.195 255.255.255.240 ethernet 0 % Incomplete command. Any recommendations??? Thanks Ken Robert Edmonds wrote in message news:[EMAIL PROTECTED] First, you need to define your inside and outside interfaces for NAT. Usually, the interface where your webserver is connected will be defined as inside and all others are outside. This would look something like this, assuming your web server is on interface ethernet 0: interface ethernet 0 ip address 2.2.2.1 255.255.255.240 ip nat inside interface serial 0 (or interface serial 0.1 for frame relay subinterface, depending on your setup) ip nat outside Next, you'll need to define a static translation between your web server and your outside IP addresses assigned by your ISP. I will use 10.0.0.1 to represent your web server address and 2.2.2.2 for your ISP assigned address. ip nat inside source static 10.0.0.1 2.2.2.2 Or, if you want to get fancy and do PAT: ip nat inside source static tcp 10.0.0.1 80 2.2.2.2 80 extendable Next, tell your router to send all traffic destined for 2.2.2.2 (the outside address of your web server) to the proper interface. ip route 2.2.2.2 255.255.255.255 ethernet 0 Your setup may demand something a little different, but in general I think this should get you started. Robert SMAN wrote in message news:[EMAIL PROTECTED] I have a cisco 2611 router/firewall that I need to open up for http: traffic. I need to configure NAT to point to the static IP on the web server. How do I do this? What are the specifics? Thanks Ken Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65880t=65755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Open http: traffic on firewall... [7:65755]
I have a cisco 2611 router/firewall that I need to open up for http: traffic. I need to configure NAT to point to the static IP on the web server. How do I do this? What are the specifics? Thanks Ken Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65755t=65755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Open http: traffic on firewall... [7:65755]
First, you need to define your inside and outside interfaces for NAT. Usually, the interface where your webserver is connected will be defined as inside and all others are outside. This would look something like this, assuming your web server is on interface ethernet 0: interface ethernet 0 ip address 2.2.2.1 255.255.255.240 ip nat inside interface serial 0 (or interface serial 0.1 for frame relay subinterface, depending on your setup) ip nat outside Next, you'll need to define a static translation between your web server and your outside IP addresses assigned by your ISP. I will use 10.0.0.1 to represent your web server address and 2.2.2.2 for your ISP assigned address. ip nat inside source static 10.0.0.1 2.2.2.2 Or, if you want to get fancy and do PAT: ip nat inside source static tcp 10.0.0.1 80 2.2.2.2 80 extendable Next, tell your router to send all traffic destined for 2.2.2.2 (the outside address of your web server) to the proper interface. ip route 2.2.2.2 255.255.255.255 ethernet 0 Your setup may demand something a little different, but in general I think this should get you started. Robert SMAN wrote in message news:[EMAIL PROTECTED] I have a cisco 2611 router/firewall that I need to open up for http: traffic. I need to configure NAT to point to the static IP on the web server. How do I do this? What are the specifics? Thanks Ken Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65763t=65755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Ref:CISCO 1721 ROUTER WITH FIREWALL SOFTWARE [7:65535]
Dear ALL; Anybody may help regarding how to configure 1721 Cisco router (Internet Router) as a firewall if that router contains just an Ethernet port and one BRI ISDN WAN BRI0 connectivity to Internet. Do we need a natting to be to setup on both interfaces ETHER AND BRI. A Sample is preferred to show us what the minimum access-list should be set on that router to get the inside network protected. Regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65535t=65535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN between PIX and Symantec Firewall [7:65369]
I am trying to setup a site to site VPN between a PIX running 6.2.1 and Symantec Firewall 7.0. It is not making it past IKE and just keeps looping the IKE phase. It matches a policy and then loops over again. In the show crypto isakmp sa output, I get hundreds of QM_IDLE and every few seconds a MM_KEY_EXCH or other similar output. Everything matches on each end and I even intentionally made the preshared key wrong on my end and then it stops looping the policy matching but of course never makes it past IKE. For show crypto isakmp sa, the QM_IDLE stops and I get one or two MM_KEY_EXCH. Has anyone successfully made this connection and is there anything to be on the look out for? I've been working with Cisco but they don't see anything wrong. They thought since in the show crypto isakmp sa output there was a MM_KEY_EXCH the keys were wrong but after reentering the key on both ends, still doesn't work. As mentioned before, if I do make them different, I all the QM_IDLE stops. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65369t=65369 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Ref:CISCO 1721 ROUTER WITH FIREWALL SOFTWARE [7:65481]
Dear ALL; Anybody may help regarding how to configure 1721 Cisco router (Internet Router) as a firewall if that router contains just an Ethernet port and one BRI ISDN WAN BRI0 connectivity to Internet. Do we need a natting to be to setup on both interfaces ETHER AND BRI. A Sample is preferred to show us what the minimum access-list should be set on that router to get the inside network protected. Regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65481t=65481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX firewall port redirection [7:64533]
Hi Robert, Your first static line wont work .. if you think about it, you will be trying to pass an IP address (which the pix thinks is on the inside interface), in from the outside interface. The Pix will see this as spoofing and drop the packet. What are you trying to achieve ? Robert Perez wrote: Can the following be done?? Inside int: 10.1.1.0 outside int: 172.16.1.0 static (inside, outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.155 static (inside, outside) tcp 10.1.1.1 telnet 207.208.203.21 telnet netmask 255.255.255.255 Since these are overlapping, will it work? Thx *** | Bob Perez | | Intercept Payment Solutions | | [EMAIL PROTECTED] | | 100 West Commons BLVD | | New Castle, DE 19720 | Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64591t=64533 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX firewall port redirection [7:64533]
Can the following be done?? Inside int: 10.1.1.0 outside int: 172.16.1.0 static (inside, outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.155 static (inside, outside) tcp 10.1.1.1 telnet 207.208.203.21 telnet netmask 255.255.255.255 Since these are overlapping, will it work? Thx *** | Bob Perez | | Intercept Payment Solutions | | [EMAIL PROTECTED] | | 100 West Commons BLVD | | New Castle, DE 19720 | Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64533t=64533 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall blocked 224.0.0.2 [7:64236]
Ask wrote: Dear all, Inbound ICMP packets send to my windows 2000 professional PC from the router. From the logfile, the local address is 224.0.0.2 and the remote address is the router. Why the PC get the packet ? It's a multicast. All devices in the broadcast (multicast) domain will see these packets, unless you do some filtering or have a smart NIC that knows better than to pass a packet for which it has not registered up to the operating system. Many PC NICs aren't that smart. I doubt it's ICMP. 224.0.0.2 is used by routing protocols. Priscilla Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64277t=64236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall blocked 224.0.0.2 [7:64236]
It's multicast for all routers. See http://www.iana.org/assignments/multicast-addresses Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2003 11:24 AM To: [EMAIL PROTECTED] Subject: RE: Firewall blocked 224.0.0.2 [7:64236] Ask wrote: Dear all, Inbound ICMP packets send to my windows 2000 professional PC from the router. From the logfile, the local address is 224.0.0.2 and the remote address is the router. Why the PC get the packet ? It's a multicast. All devices in the broadcast (multicast) domain will see these packets, unless you do some filtering or have a smart NIC that knows better than to pass a packet for which it has not registered up to the operating system. Many PC NICs aren't that smart. I doubt it's ICMP. 224.0.0.2 is used by routing protocols. Priscilla Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64306t=64236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Firewall blocked 224.0.0.2 [7:64236]
Dear all, Inbound ICMP packets send to my windows 2000 professional PC from the router. From the logfile, the local address is 224.0.0.2 and the remote address is the router. Why the PC get the packet ? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64236t=64236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CPU and memory usage on Pix firewall VPN setup with PFS [7:64169]
Hi, I have 10 different VPN tunnels from my Pix520 firewall (500Mhz PIII and 256MB of RAM) to other Firewalls (Pix and Checkpoint) and Cisco VPN Concentrators. At the moment, all of the tunnels are using 3des, sha and DH group 2 in phase 1. In phase 2, I use 3des and sha1. For security purposes, I would like to add Perfect Forward Secrecy (PFS) to all tunnels. However, I am concerned with the CPU load and memory resources on the pix520. This pix520 firewall will also be used to protect your company web and mail servers (DMZ1). The Oracle database servers are located on another DMZ segment (DMZ2) Furthermore, it will also be used to protect our internal network and as well as accessing the Internet. We don't have the budget to purchase any equipments, not even the VPN Acceleration Card (VAC). The pix is connected to a SDSL router (1.5Mbps up/down). During normal business hours, I notice that the cpu usage is about 40% and memory is usage is about 80MB. In the evening when there is a lot of backing up going on (the backup server is located on the internal network and it backs up all the web mail and database servers). While the servers are being backup, some database replication also takes place between the VPNs. I took a sample of that and the traffic on the outside interface maxes out at 1.5 mbps and the traffic between the inside and dmz is running at about 60mbps. The cpu usage is about 55% and the memory usage is about 85MB. My question is: should I enable PFS on all the tunnels without bringing down the Pix520 firewalls? Since the pix firewall is running on an Intel CPU, I can always replace the current PIII 500 with another PIII 850 but I don't think cisco would like that. By the way, I am running Pix OS version 6.3(0) build 144. Even when I am running version 6.2(2), the performance is about the same. Anyone has the pix VPN setup with PFS without bringing down the pix, please advise. On another unrelated question: has anyone ever seen the pix firewall using more than 160MB of RAM? My pix firewall has 256MB of RAM but I have never seen it use more than 160MB. Even in lab environment where I hit the firewall with a lot of connections, about 1 millions simutaneous connection of http, https, ftp, telnet, etc... but the pix never uses more than 160MB of RAM. So does it mean on firewall such as Pix535 that can have up to 1GB of RAM, it actually never uses more than 256MB of RAM? Eric - Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, and more Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64169t=64169 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Urgent Help !! How to check who's always attack my firewall [7:64064]
Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64064t=64064 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Urgent Help !! How to check who's always attack my firewall [7:64063]
Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64063t=64063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Urgent Help !! How to check who's always attack my firewall [7:64068]
Try NSLOOKUP and WHOIS query . It will tell you either a costumer info or a Service provider Block. If it tells you about Service provider then you should contact this provider and send them a log, let them know that one of there customer trying to hack into your network. They will definitely take action. use this link. http://www.all-nettools.com/tools1.htm Steiven Poh-(Jaring MailBox) wrote in message news:[EMAIL PROTECTED] Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64068t=64068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Urgent Help !! How to check who's always attack my firewall [7:64073]
Go to ARIN.net. If it's outside North America, it will refer you. Remember that IP address can be SPOOFED. HTH, Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steiven Poh-(Jaring MailBox) Sent: Friday, February 28, 2003 6:36 AM To: [EMAIL PROTECTED] Subject: Urgent Help !! How to check who's always attack my firewall [7:64064] Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64073t=64073 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Urgent Help !! How to check who's always attack my firewall [7:64084]
Finally a question i can help with... goto http://www.uwhois.com regards, odus Original Message Follows From: Steiven Poh-\(Jaring MailBox\) Reply-To: Steiven Poh-\(Jaring MailBox\) To: [EMAIL PROTECTED] Subject: Urgent Help !! How to check who's always attack my firewall [7:64064] Date: Fri, 28 Feb 2003 11:35:41 GMT Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven _ Express yourself with cool emoticons http://messenger.msn.co.uk Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64084t=64084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Urgent Help !! How to check who's always attack my firewall [7:64085]
Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven If they're being blocked at your firewall it may best to just leave them alone. I don't know if it's very helpful to try to track hackers down. Besides, you might not be seeing the true source IP address, but I suppose that depends on the particular attack they were attempting. If you're curious, you can go to www.arin.net/whois and enter the IP address. That will return information regarding the administrator and 'owner' of that netblock. If you really decide that it's necessary, you could contact the administrator listed on that page, assuming that information is even correct. I'd suggest that since you're aware of them it's not going to do much good to pursue them. On the other hand, that depends on the nature of their attacks and the nature of the information you're trying to secure. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64085t=64085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Urgent Help !! How to check who's always attack my firewall [7:64088]
You are looking to do a DNS look-up. Example: DNS lookup command issued. Waiting for reply... Office host name: w14.www.dcn.yahoo.com Internet address: 216.109.125.67 DNS lookup command completed. If the DNS look-up does not work, look in to finding someone with SolarWinds software. (Solarwinds.com) Hope that this helped. = = = Original message = = = Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven [EMAIL PROTECTED] ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64088t=64088 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall/PIX help.... [7:63167]
I think your better of just setting up something like snort as and IDS, I know you want it all integrated. The IDS on the pix though not totally worthless I have not found much use for it and with only 59 signatures well it is sort of half baked in my opinion. -Original Message- From: Thomas Larus [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 9:27 PM To: [EMAIL PROTECTED] Subject: Re: Firewall/PIX help [7:63167] Sonic Wall Firewalls can do some content filtering and there is an antivirus option you can get. No IDS, though. Pix has a rudimentary IDS, as has been stated. It has 59 signatures or so. Tom Larus Gunjan Mathur wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I'm looking for firewall solution for my company, we have two WAN connections and currently my users are connected thru two proxy m/c to Internet. Which PIX model would server the needs. I also need content filtering, Intrustion detection and Anti-virus protection on firewall itself. Is all these things are possible on PIX? TIA __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63360t=63167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewall/PIX help.... [7:63167]
PIX does not have Antivirus, IDS, or content filtering bultin. I don't think I know of any hardware based firewalls that do. You may have to look into a software based solution. Maybe computer associates or Symantec make such a suite. Gunjan Mathur wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I'm looking for firewall solution for my company, we have two WAN connections and currently my users are connected thru two proxy m/c to Internet. Which PIX model would server the needs. I also need content filtering, Intrustion detection and Anti-virus protection on firewall itself. Is all these things are possible on PIX? TIA __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63280t=63167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall/PIX help.... [7:63167]
The PIX does have IDS capabilities, but very rudimentary. no anti-virus or content filtering. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63296t=63167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall/PIX help.... [7:63167]
I thought the PIX can do content filtering if hooked up with websense? Doesn't it use WCCP to do this. Sonicwall says it can do inbuilt anti-virus, content filtering. But it looks like its a subscription based service so it's not really your firewall doing these functions. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 8:42 AM To: [EMAIL PROTECTED] Subject: RE: Firewall/PIX help [7:63167] The PIX does have IDS capabilities, but very rudimentary. no anti-virus or content filtering. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63306t=63167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewall/PIX help.... [7:63167]
Sonic Wall Firewalls can do some content filtering and there is an antivirus option you can get. No IDS, though. Pix has a rudimentary IDS, as has been stated. It has 59 signatures or so. Tom Larus Gunjan Mathur wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I'm looking for firewall solution for my company, we have two WAN connections and currently my users are connected thru two proxy m/c to Internet. Which PIX model would server the needs. I also need content filtering, Intrustion detection and Anti-virus protection on firewall itself. Is all these things are possible on PIX? TIA __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63308t=63167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Firewall/PIX help.... [7:63167]
Hi, I'm looking for firewall solution for my company, we have two WAN connections and currently my users are connected thru two proxy m/c to Internet. Which PIX model would server the needs. I also need content filtering, Intrustion detection and Anti-virus protection on firewall itself. Is all these things are possible on PIX? TIA __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63167t=63167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Cisco Secure PIX Firewall [7:63013]
Sure, Main Cisco PIX IPsec config examples: http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list .html Simple PIX-to-PIX tunnel: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration _example09186a0080094761.shtml Best of luck, -Zeke Sonic Network OperationsSonic.net, Inc. 707.522.1000 2260 Apollo Way 707.547.2199 (FAX) Santa Rosa, CA 95407 - Original Message - From: Hitesh Pathak R To: Sent: Thursday, February 13, 2003 11:21 PM Subject: VPN Cisco Secure PIX Firewall [7:63013] Dear Group, Need some info on establishing site-2-site VPN using Cisco secure 525 PIX firewall. Can some body forward some url or sample config on the same. Many thnx in advance Thanks Hitesh DISCLAIMER: Information contained and transmitted by this E-MAIL is proprietary to Wipro Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63076t=63013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Cisco Secure PIX Firewall [7:63013]
Dear Group, Need some info on establishing site-2-site VPN using Cisco secure 525 PIX firewall. Can some body forward some url or sample config on the same. Many thnx in advance Thanks Hitesh DISCLAIMER: Information contained and transmitted by this E-MAIL is proprietary to Wipro Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63013t=63013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX firewall [7:62746]
Hello Could you please tell me in the PIX Cisco firewall their clients need to be firewall clients or not? Hanan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62746t=62746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX firewall [7:62761]
Hello Could you please tell me in the PIX Cisco firewall their clients need to be firewall clients or not? Hanan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62761t=62761 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX firewall [7:62761]
hanan wrote: Hello Could you please tell me in the PIX Cisco firewall their clients need to be firewall clients or not? PIX isn't a client/server architecture. Firewalls generally aren't. The term firewall client isn't used usually. PIX is a network firewall that protects an inside network from the outside. It examines all TCP/IP traffic, in and out. It doesn't care who is sending the traffic. It works on any ordinary network where the clients and servers run a variety of operating systems. Now, if you are concerned with VPNs, then the terms client and server do get used. I think it's still true, though, that PIX would work with a variety of VPN clients. Someone correct me if I'm wrong. Thanks. Priscilla Hanan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62768t=62761 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX firewall simultaneous connections [7:62575]
Hello groupies, I was reading the PIX book and it apparently said that the no. of connection supported by a PIX firewall (higher order) is 500,000. Does this mean that upto 500,000 sessions can be established or something else? If so, what do I do if I have a thoroughput of say 2 million users? Thanks in adv. Cheers, Kenan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62575t=62575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX firewall simultaneous connections [7:62575]
I believe that if you check the Cisco website or documentation, you will see that it defines a session as a single TCP or UDP connection. If somehow you had 2M users, yet their total number of sessions never exceeded 500K, then your firewall could handle 2M users. I am not addressing performance at all here. Realistically, though, your users are going to have any number of sessions established as they read their email, check the web, download files, and so on. It's possible that your 500K PIX firewall could only be able to handle about 5K or 50K of your users if they are the kind of users to keep hundreds or thousands of sessions going at once. HTH, Charles Kenan Ahmed Siddiqi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello groupies, I was reading the PIX book and it apparently said that the no. of connection supported by a PIX firewall (higher order) is 500,000. Does this mean that upto 500,000 sessions can be established or something else? If so, what do I do if I have a thoroughput of say 2 million users? Thanks in adv. Cheers, Kenan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62578t=62575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX firewall simultaneous connections [7:62575]
These are TCP and UDP connections. Keep in mind that PIX must keep a state table for these connections so thats probably where it gets the limit from. I really can't see how you could have 2 million users internally going through 1 firewall so I assume you mean 2 million people hitting a webserver behind the PIX. I really can't see 2 million people hitting a webiste at the same time going through a single PIX. But if your are big time like that you would have more than one PIX handling it. Kenan Ahmed Siddiqi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello groupies, I was reading the PIX book and it apparently said that the no. of connection supported by a PIX firewall (higher order) is 500,000. Does this mean that upto 500,000 sessions can be established or something else? If so, what do I do if I have a thoroughput of say 2 million users? Thanks in adv. Cheers, Kenan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62583t=62575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX firewall simultaneous connections [7:62575]
I have approximately 2 million hits a day on web pages behind a pair of PIX 515's in failover and send out a little more than a million subscription (not spam) email's every night and the only issue I have is that the available 1550 (Ethernet) blocks drops to zero at times during the 3 or 4 hours in the middle of the night that I'm shoving out all of that email. We even run some small animated Flash things on some pages however I don't serve any streaming media. I do have FTP services that serve from 1500-2000 users anywhere from 10 to 100MB each daily. Now the FTP users are pulling packages of graphics though, not 700MB ISO CD images. During the day, when the lion's share of the web activity occurs, I never notice any of the PIX's resources taxed to anywhere close to a point I consider worrisome. The boxes I have to keep an eye on are my 3640 routers. That's where I see the meters pegging, mostly in the mornings when people check their morning emails. I used to have QoS running on them for certain traffic I wanted to restrict bandwidth on but that absolutley choked the CPU's in the AM. Never seen a router CPU run at 100% use and stay there until then. Had to remove it. Like Charles said, a single user will open many connections one web page hit but each individual connection not open too long. The PIX just keeps on chuggin' right along. Now I run no encryption on that pair and have tunnels in from the outside coming in thru another PIX that processes no web traffic. These 2 boxes are simple firewalls. I would like to upgrade to at least 525's (not to mention a beefier router) or just a REALLY beefy router running firewall IOS but, alas, it's not in the budget this year so I chug right along with my 515's doing exactly what I need them to. If you're not running really big flash animations, streaming media or some other big bandwidth hog type of traffic, you don't have a bunch of secure tunnels built or your 2 million users don't all hit within a 2 hour time frame I really doubt you'll have any issues with a 515 or bigger box but I would personally recommend bigger than a 515 with the idea in mind of a liitle room for your business to grow and not max'ing out the box in 6 months or a year. Our traffic has only seen modest growth over the last 2 years or so. I believe we still have quite a bit more we can squeeze out of the PIX's before we have no choice but to upgrade. That's my experience anyway. Don't know how closely your requirements match mine though. Hope this helps. Mark Quoting Charles Riley : I believe that if you check the Cisco website or documentation, you will see that it defines a session as a single TCP or UDP connection. If somehow you had 2M users, yet their total number of sessions never exceeded 500K, then your firewall could handle 2M users. I am not addressing performance at all here. Realistically, though, your users are going to have any number of sessions established as they read their email, check the web, download files, and so on. It's possible that your 500K PIX firewall could only be able to handle about 5K or 50K of your users if they are the kind of users to keep hundreds or thousands of sessions going at once. HTH, Charles Kenan Ahmed Siddiqi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello groupies, I was reading the PIX book and it apparently said that the no. of connection supported by a PIX firewall (higher order) is 500,000. Does this mean that upto 500,000 sessions can be established or something else? If so, what do I do if I have a thoroughput of say 2 million users? Thanks in adv. Cheers, Kenan [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62587t=62575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
History of the PIX Firewall [7:62512]
To all, I have received an email from Brantley Coile, on of the two co-developers of the PIX firewall, congratulating me on my book. He kindly sent me information about the development of the PIX and its subsequent sale to Cisco. If you would like to see the entire story, please visit this link (watch the wrap): http://home.cfl.rr.com/dealgroup/pix/pix_page_history.htm Cheers! -- Richard A. Deal Visit my home page at http://home.cfl.rr.com/dealgroup/ Author of Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep, CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco exams on the market. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62512t=62512 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: History of the PIX Firewall [7:62512]
Cool. Richard Deal wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62540t=62512 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SQLNET/TNS Firewall Rule [7:62472]
First of all, what version of Pix OS are you running? I have a similar setup like yours with a franken pix firewall between an Oracle9i Server running on Linux and an Oracle9i Client running on a windows 2k machine. I am running version 6.3(0) build 131 on my franken pix firewall and it works great connecting to port sqlnet 1521 on the Oracle server behind firewall. Just make sure you have this in your pix configuration: fixup protocol sqlnet 1521 Make sure that you're running version 6.2(2) or 6.3(0) build 131 beta and you will be fine. Have fun. D. Paulo Roque wrote:I have a PIX firewall between a oracle server and a client. The client always start a connection on port 1521 on the server. The server always send a port redirect to the client informing the client to start a new connection on second port. This second port is always random, what makes me create a rule that permits the client to connect to any port on the server. This situation is bad. Is it possible to create a rule that restrict the client access to the server and still permit the oracle connection to occur? -- Eng. Paulo Roque Network Engineer Cisco Certified Network Associate [EMAIL PROTECTED] Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62556t=62472 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SQLNET/TNS Firewall Rule [7:62472]
I have a PIX firewall between a oracle server and a client. The client always start a connection on port 1521 on the server. The server always send a port redirect to the client informing the client to start a new connection on second port. This second port is always random, what makes me create a rule that permits the client to connect to any port on the server. This situation is bad. Is it possible to create a rule that restrict the client access to the server and still permit the oracle connection to occur? -- Eng. Paulo Roque Network Engineer Cisco Certified Network Associate [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62472t=62472 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Gateway and Firewall [7:62358]
Hi all, A have a Checkpoint FW-1 and a VPN concentrator in a new design. Where is the best place to put the VPN concentrator related to firewall? a) before the firewall (in the outside network) b) after the firewall(in the inside network) c) in parallel with the firewall d) in a separated firewall interface Paulo -- Eng. Paulo Roque Network Engineer Cisco Certified Network Associate [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62358t=62358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Gateway and Firewall [7:62358]
Inside the firewall. I haven;t worked with the concentrators before, but have used Cisco rotuer for RAS VPN. All it needs is one interface for this fucntion, real nice. Putting it behind FW ensures only stateful TCP sessions are used and protects it from outsiders. Paulo Roque wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, A have a Checkpoint FW-1 and a VPN concentrator in a new design. Where is the best place to put the VPN concentrator related to firewall? a) before the firewall (in the outside network) b) after the firewall(in the inside network) c) in parallel with the firewall d) in a separated firewall interface Paulo -- Eng. Paulo Roque Network Engineer Cisco Certified Network Associate [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62360t=62358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Gateway and Firewall [7:62358]
You may want to consider the concentrator in a dual DMZ scenario. The benefit of putting it in a dual DMZ scenario is not only can you control the outside access, you can also control the resources a remote can see in the inside once a tunnel is established. If you place it behind the firewall, once the remote has a tunnel they have complete access to your inside network. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62363t=62358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with pix firewall logging [7:61902]
Hello I think you did not open port on pix to send log information to server when you install pfss software it shows what ports it is using on TCP and UDP check it and modify this commnad on pix logging host inside 192.168.11.254 tcp/the port number by default is uses 1468 but some time it use 1470 so confirm port number and configure it i thin it will work Bye Usman Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61943t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stop SYN Flood with Pix firewall? [7:61891]
If it wasn't for those Crappy Windows machines, we would have jobs. -Original Message- From: d tran [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 9:18 PM To: [EMAIL PROTECTED] Subject: Re: How to stop SYN Flood with Pix firewall? [7:61891] I am not sure how many Packets/Sec hping2 generate but I don't think 100BaseT was saturated because the whole thing is connected to a Cisco 2924-XL Enterprise switch (running 12.05(T)) IOS. Furthermore, while machines on 172.16.1.0/24 network have problem connecting to the linux web server via NATed address 172.16.1.71, they have NO problems surfing the Internet or any other network. In fact, I am writing you this email as my other two linux servers are sending SYN flood to the web server and the CPU on the Pix firewall is at 99%. You wouldn't have to fight the udp 1434 problem had you decided to scrap the shitty MS SQL server, running on crappy Windows machine and replace it MySQL (freeware) or real commercial database products like Oracle, running on Linux platform. Enjoy fighting udp1434. LOL DT Przemyslaw Karwasiecki wrote:How many packet per second hping2 generates? If it saturates 100BaseT, maybe you had just reached performance limit of PIX520? I am not trying to say that PIX will not handle traffic in proximity of 150,000-200,000 pps. I simply don't know that. But, if it needs to analyze 150,000 SYN packets per second, I can easily imagine that it will crawl. BTW -- very interesting experiment. Przemek (fighting with udp 1434 now) On Sat, 2003-01-25 at 16:40, d tran wrote: Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The inside interface is 10.100.0.254/24 and the outside interface is 172.16.1.253/24. I have a linux server residing on the inside network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to outside world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the outside network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of SYN connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and half-open connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do clear xlate after that. That didn't help. The cpu utilization is still 99% and machines on the outside network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61944t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with pix firewall logging [7:61902]
Thanks everyone for the replies but I have it working now but what gets me I have no clue what did it. I took all of the logging info that was posted in my original email off of the pix and put it back on after doing so it started working. Usman I am not using the pfss software from Cisco I am using a real syslog server on a Freebsd box. Once again thank you for your replies. -Original Message- From: Usman Ali [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 4:56 AM To: [EMAIL PROTECTED] Subject: Re: Help with pix firewall logging [7:61902] Hello I think you did not open port on pix to send log information to server when you install pfss software it shows what ports it is using on TCP and UDP check it and modify this commnad on pix logging host inside 192.168.11.254 tcp/the port number by default is uses 1468 but some time it use 1470 so confirm port number and configure it i thin it will work Bye Usman Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61952t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with pix firewall logging [7:61902]
Elijah, I would add 'logging buffered debug' and see if you get any error messages in the local log file. You check the local using 'show log'. You may see traffic being blocked by an ACL. Secondly version 6.2(2) does have the packet capture feature. It is too long to go into but check the CCO on how to enable this. I have used it and it works well. Basically you do the following: 1. Define an ACL to capture the traffic you are looking for, in your case any traffic going to the syslog server. 2. Use the 'capture' comand assigning the ACL to an interface and starting the capture. 3. Use the 'show capture' command to see the results. Hope this helps, Scott --- On Sun 01/26, Elijah Savage III wrote: From: Elijah Savage III [mailto: [EMAIL PROTECTED]] To: [EMAIL PROTECTED] Date: Sun, 26 Jan 2003 18:21:10 GMT Subject: RE: Help with pix firewall logging [7:61902] As a last resort I did reboot the pix also but still no logging, what am I missing? -Original Message- From: Elijah Savage III Sent: Sunday, January 26, 2003 1:11 PM To: [EMAIL PROTECTED] Subject: Help with pix firewall logging [7:61902] All, I have a pix running 6.2 it is logging to a freebsd server on the local network. It was logging at one time to syslog no problem but all of a sudden it stopped and I can't get it working. Here is the logging config I turned up logging to see if it would help and nothing. Yes I am sure syslog is running on the box if I do a tcpdump on the freebsd server I see nothing coming from the pix. logging on logging timestamp logging trap warnings logging history debugging logging facility 23 logging host inside 192.168.11.254 ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61959t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Help with pix firewall logging [7:61902]
All, I have a pix running 6.2 it is logging to a freebsd server on the local network. It was logging at one time to syslog no problem but all of a sudden it stopped and I can't get it working. Here is the logging config I turned up logging to see if it would help and nothing. Yes I am sure syslog is running on the box if I do a tcpdump on the freebsd server I see nothing coming from the pix. logging on logging timestamp logging trap warnings logging history debugging logging facility 23 logging host inside 192.168.11.254 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61902t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with pix firewall logging [7:61902]
As a last resort I did reboot the pix also but still no logging, what am I missing? -Original Message- From: Elijah Savage III Sent: Sunday, January 26, 2003 1:11 PM To: [EMAIL PROTECTED] Subject: Help with pix firewall logging [7:61902] All, I have a pix running 6.2 it is logging to a freebsd server on the local network. It was logging at one time to syslog no problem but all of a sudden it stopped and I can't get it working. Here is the logging config I turned up logging to see if it would help and nothing. Yes I am sure syslog is running on the box if I do a tcpdump on the freebsd server I see nothing coming from the pix. logging on logging timestamp logging trap warnings logging history debugging logging facility 23 logging host inside 192.168.11.254 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61903t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with pix firewall logging [7:61902]
Is syslogd still accepting connections from network devices? Did you change the firewall on the FreeBSD machine? The problem may not be the PIX. Ken Elijah Savage III 01/26/03 10:11AM All, I have a pix running 6.2 it is logging to a freebsd server on the local network. It was logging at one time to syslog no problem but all of a sudden it stopped and I can't get it working. Here is the logging config I turned up logging to see if it would help and nothing. Yes I am sure syslog is running on the box if I do a tcpdump on the freebsd server I see nothing coming from the pix. logging on logging timestamp logging trap warnings logging history debugging logging facility 23 logging host inside 192.168.11.254 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61906t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with pix firewall logging [7:61902]
The problem is definitely the pix. Even if syslogd was not running or a firewall running on the box was blocking it I would still see the packets arriving to the box when running tcpdump on the server. But yes other machines are still logging to this box. -Original Message- From: Ken Diliberto [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 26, 2003 2:28 PM To: [EMAIL PROTECTED] Subject: Re: Help with pix firewall logging [7:61902] Is syslogd still accepting connections from network devices? Did you change the firewall on the FreeBSD machine? The problem may not be the PIX. Ken Elijah Savage III 01/26/03 10:11AM All, I have a pix running 6.2 it is logging to a freebsd server on the local network. It was logging at one time to syslog no problem but all of a sudden it stopped and I can't get it working. Here is the logging config I turned up logging to see if it would help and nothing. Yes I am sure syslog is running on the box if I do a tcpdump on the freebsd server I see nothing coming from the pix. logging on logging timestamp logging trap warnings logging history debugging logging facility 23 logging host inside 192.168.11.254 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61919t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with pix firewall logging [7:61902]
It may that no alerts at the warnings level have occured. Trying setting it at a high level such as 6 or 7 (which pretty much logs everthing). Once you have ascertained that logging between the PIX and syslog server are working, then restore it back to the warnings level. HTH, Charles Elijah Savage III wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... All, I have a pix running 6.2 it is logging to a freebsd server on the local network. It was logging at one time to syslog no problem but all of a sudden it stopped and I can't get it working. Here is the logging config I turned up logging to see if it would help and nothing. Yes I am sure syslog is running on the box if I do a tcpdump on the freebsd server I see nothing coming from the pix. logging on logging timestamp logging trap warnings logging history debugging logging facility 23 logging host inside 192.168.11.254 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61923t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How to stop SYN Flood with Pix firewall? [7:61875]
Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The inside interface is 10.100.0.254/24 and the outside interface is 172.16.1.253/24. I have a linux server residing on the inside network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to outside world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the outside network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of SYN connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and half-open connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do clear xlate after that. That didn't help. The cpu utilization is still 99% and machines on the outside network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61875t=61875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to stop SYN Flood with Pix firewall? [7:61875]
The parameter to do this on a given static statement is for embryonic connections... (an unanswered SYN) static [(prenat_interface, postnat_interface)]{mapped_address| interface} real_address [dns] [netmask mask] [norandomseq] [connection_limit] [em_limit]] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694 -Original Message- From: d tran To: [EMAIL PROTECTED] Date: Sat, 25 Jan 2003 21:41:09 GMT Subject: How to stop SYN Flood with Pix firewall? [7:61875] Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The inside interface is 10.100.0.254/24 and the outside interface is 172.16.1.253/24. I have a linux server residing on the inside network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to outside world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the outside network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of SYN connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and half-open connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do clear xlate after that. That didn't help. The cpu utilization is still 99% and machines on the outside network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61879t=61875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to stop SYN Flood with Pix firewall? [7:61875]
Bryant Give me an example that works. Thanks. DT Brant Stevens wrote:The parameter to do this on a given static statement is for embryonic connections... (an unanswered SYN) static [(prenat_interface, postnat_interface)]{mapped_address| interface} real_address [dns] [netmask mask] [norandomseq] [connection_limit] [em_limit]] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#1026694 -Original Message- From: d tran To: [EMAIL PROTECTED] Date: Sat, 25 Jan 2003 21:41:09 GMT Subject: How to stop SYN Flood with Pix firewall? [7:61875] Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The inside interface is 10.100.0.254/24 and the outside interface is 172.16.1.253/24. I have a linux server residing on the inside network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to outside world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the outside network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of SYN connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and half-open connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do clear xlate after that. That didn't help. The cpu utilization is still 99% and machines on the outside network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61884t=61875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stop SYN Flood with Pix firewall? [7:61885]
Carl, Did you read my post before reply? floodguard enable DT Carl Newman wrote:Tran: Have you turned on flood guard? This is a needed element before the embryonic thresh hold can be enabled. Carl -Original Message- From: d tran [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 3:41 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: How to stop SYN Flood with Pix firewall? Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The inside interface is 10.100.0.254/24 and the outside interface is 172.16.1.253/24. I have a linux server residing on the inside network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to outside world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the outside network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of SYN connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and half-open connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do clear xlate after that. That didn't help. The cpu utilization is still 99% and machines on the outside network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61885t=61885 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to stop SYN Flood with Pix firewall? [7:61891]
I am not sure how many Packets/Sec hping2 generate but I don't think 100BaseT was saturated because the whole thing is connected to a Cisco 2924-XL Enterprise switch (running 12.05(T)) IOS. Furthermore, while machines on 172.16.1.0/24 network have problem connecting to the linux web server via NATed address 172.16.1.71, they have NO problems surfing the Internet or any other network. In fact, I am writing you this email as my other two linux servers are sending SYN flood to the web server and the CPU on the Pix firewall is at 99%. You wouldn't have to fight the udp 1434 problem had you decided to scrap the shitty MS SQL server, running on crappy Windows machine and replace it MySQL (freeware) or real commercial database products like Oracle, running on Linux platform. Enjoy fighting udp1434. LOL DT Przemyslaw Karwasiecki wrote:How many packet per second hping2 generates? If it saturates 100BaseT, maybe you had just reached performance limit of PIX520? I am not trying to say that PIX will not handle traffic in proximity of 150,000-200,000 pps. I simply don't know that. But, if it needs to analyze 150,000 SYN packets per second, I can easily imagine that it will crawl. BTW -- very interesting experiment. Przemek (fighting with udp 1434 now) On Sat, 2003-01-25 at 16:40, d tran wrote: Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The inside interface is 10.100.0.254/24 and the outside interface is 172.16.1.253/24. I have a linux server residing on the inside network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to outside world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the outside network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of SYN connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and half-open connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do clear xlate after that. That didn't help. The cpu utilization is still 99% and machines on the outside network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61891t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to stop SYN Flood with Pix firewall? [7:61892]
How many packet per second hping2 generates? If it saturates 100BaseT, maybe you had just reached performance limit of PIX520? I am not trying to say that PIX will not handle traffic in proximity of 150,000-200,000 pps. I simply don't know that. But, if it needs to analyze 150,000 SYN packets per second, I can easily imagine that it will crawl. BTW -- very interesting experiment. Przemek (fighting with udp 1434 now) On Sat, 2003-01-25 at 16:40, d tran wrote: Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The inside interface is 10.100.0.254/24 and the outside interface is 172.16.1.253/24. I have a linux server residing on the inside network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to outside world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the outside network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of SYN connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and half-open connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do clear xlate after that. That didn't help. The cpu utilization is still 99% and machines on the outside network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61892t=61892 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to stop SYN Flood with Pix firewall? [7:61893]
On Sat, 2003-01-25 at 21:18, d tran wrote: I am not sure how many Packets/Sec hping2 generate but I don't think 100BaseT was saturated because the whole thing is connected to a Cisco 2924-XL Enterprise switch (running 12.05(T)) IOS. I mentioned this saturation stuff not to suggest that it affect somehow your observation, but as a estimation of amount of pps. Linux kernel is fairly capable to generate packets with full wire speed (I was writing some testing scripts in PERL, and had no problem with generating 150 kpps) I just wanted to point out that with 150 kpps, device creating some data structures representing new TCP connection for each and every packet, has a hell lot of work, and maybe, you just reached PIX520 limits... Besides, Cat switch is nonblocking (well, nearly), so unicast traffic between your generator and pix will not affect other ports. Przemek Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61893t=61893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft Exchange/UMS and Firewall [7:61747]
I've gone through an issue like this before and remember some issue about Exchange using constantly changing ports. But this link might be able to help you. http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61777t=61747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft Exchange/UMS and Firewall [7:61747]
Exchange will use 135 to discover (portmapper) and then use dynamically assigned ports for the actual conversations. Your best bet is to statically map the ports in Exchange and then you don't have a moving target from the firewall point of view. http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831 http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194952 The other option (not a good one IMHO) is to open 135 only to the Exchange host and then leave a range of ports open to that host as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 9:04 PM To: [EMAIL PROTECTED] Subject: Microsoft Exchange/UMS and Firewall [7:61747] Hi All, Need your advice on the following situation: I have a Active Voice Unified Messaging System on Location A, and a Microsoft Exchange Server at Location B. Both Location A and B are protected by Checkpoint firewall. Please advice how the firewall be configured such that it will allow MAPI to be used between these two sites. Thanks a lot in advance! Maurice Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61780t=61747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list compiled on Pix firewall [7:61801]
Has anyone used the access-list compiled on the pix firewall? Cisco says that it optimizes the access-list and make things run smoother if your access-list is at least 20 lines long. Has anyone actually measured this on a production environment? Advise please. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61801t=61801 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list compiled on Pix firewall [7:61803]
I've used the turbo acl function and it seems like a nice feature but didn't notice any real difference performance wise. Had 29 lines of filters. Thanks, Ian www.ccie4u.com Rack Rentals and Lab Scenarios -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 3:46 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: access-list compiled on Pix firewall Has anyone used the access-list compiled on the pix firewall? Cisco says that it optimizes the access-list and make things run smoother if your access-list is at least 20 lines long. Has anyone actually measured this on a production environment? Advise please. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61803t=61803 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list compiled on Pix firewall [7:61803]
According to Cisco's site... The access-list compiled can only be used with Turbo ACLs on the 7000 series routers. Please lemme know if I'm wrong! I'd like to use it on my 3640 with acl gremlins. -Original Message- From: Stong, Ian C [GMG] [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 3:04 PM To: [EMAIL PROTECTED] Subject: RE: access-list compiled on Pix firewall [7:61803] I've used the turbo acl function and it seems like a nice feature but didn't notice any real difference performance wise. Had 29 lines of filters. Thanks, Ian www.ccie4u.com Rack Rentals and Lab Scenarios -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 3:46 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: access-list compiled on Pix firewall Has anyone used the access-list compiled on the pix firewall? Cisco says that it optimizes the access-list and make things run smoother if your access-list is at least 20 lines long. Has anyone actually measured this on a production environment? Advise please. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61812t=61803 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft Exchange/UMS and Firewall [7:61747]
Does your checkpoint licensing support VPN? If so it is very easy to build a secure tunnel between sites that is encrypted. If you send me the feature portion of the licensing string I can tell you if it supports encryption. -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 10:18 AM To: [EMAIL PROTECTED] Subject: RE: Microsoft Exchange/UMS and Firewall [7:61747] Exchange will use 135 to discover (portmapper) and then use dynamically assigned ports for the actual conversations. Your best bet is to statically map the ports in Exchange and then you don't have a moving target from the firewall point of view. http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831 http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194952 The other option (not a good one IMHO) is to open 135 only to the Exchange host and then leave a range of ports open to that host as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 9:04 PM To: [EMAIL PROTECTED] Subject: Microsoft Exchange/UMS and Firewall [7:61747] Hi All, Need your advice on the following situation: I have a Active Voice Unified Messaging System on Location A, and a Microsoft Exchange Server at Location B. Both Location A and B are protected by Checkpoint firewall. Please advice how the firewall be configured such that it will allow MAPI to be used between these two sites. Thanks a lot in advance! Maurice Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61825t=61747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Microsoft Exchange/UMS and Firewall [7:61747]
Hi All, Need your advice on the following situation: I have a Active Voice Unified Messaging System on Location A, and a Microsoft Exchange Server at Location B. Both Location A and B are protected by Checkpoint firewall. Please advice how the firewall be configured such that it will allow MAPI to be used between these two sites. Thanks a lot in advance! Maurice Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61747t=61747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Local Director vs Pix Firewall [7:60594]
What is the difference between a Local Director and a Pix Firewall? Assume they have at least 3 NICs each. Also, I have recently purchased a Cisco Pix Firewall/Local Director on ebay. I cannot seem to find the model #, all i know is its running Version 4.14. Most likely it has 2MB flash. I cannot seem to find anything on Cisco's website(CCO) regarding this product, not even software upgrade to Verion 5.x. Any response will be appreciated. Thanks! Joe Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60594t=60594 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 6xxx switches and 2 firewall in clust [7:60235]
Hi Mark, Well, the solution is still due. I was having some doubts with the present setup and have asked the customer to shift one of the FW's to the 2nd REdundant switch. Because in real terms only after doing that we can achieve full redundancy and failover. i will surely will reply to you on this. regds Hitesh -Original Message- From: Vicuna, Mark [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 7:45 AM To: Hitesh Pathak R Subject: RE: Catalyst 6xxx switches and 2 firewall in clust [7:60235] Importance: High Hi Hitesh, I am curious to find out your solution to this.. can you please post a reply on Groupstudy on your findings. Regards, Mark. -Original Message- From: Hitesh Pathak R [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 05, 2003 7:53 PM To: [EMAIL PROTECTED] Subject: RE: Catalyst 6xxx switches and 2 firewall in clust [7:60235] Thanks Priscilla for your suggestion. Yes, You are getting closer to the problem that I am facing right now. Well I have not yet tried by putting permanent cam entry on the uplink port due to 2 reasons :- 1) Since it's a live setup of one of the biggest Bank , I just wanted to be sure of what I am doing is right or not. 2) As a I told in my mail that the back-2-back link between both my core switches is a trunk and 2 ports are channeled together. In this case which port should I bind the cam entry with ?? (supervisor port 1/1 or 1/2 ). Also both my FireWall's are part of one Vlan and as u know trunks are by default part of management Vlan (vlan 1). As per the Firewall providers documentation I need to specify the Vlan # as well while setting the permanent cam entry with set cam permament comand. So which vlan should I specify ?? Any suggestion . Thanks Hitesh -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, January 06, 2003 3:23 AM To: [EMAIL PROTECTED] Subject: RE: Catalyst 6xxx switches and 2 firewall in clust [7:60235] It's possible I've gleaned some correct information from your few clues about your situation. Possible topology: Your highly-available firewalls are connected to Switch 1 (SW1). The firewalls expect other devices to send to one or the other firewall using a multicast address, in a similar fashion to the way hosts send to the HSRP address, (even though that's not a multicast address). Servers are connected to switch 2. The servers are supposed to send to the multicast address associated with the firewall. Is that close to right? Am I getting closer? It's also possible that I have figured out the problem you are trying to solve from your few clues about the problem, although not necessarily a solution. Possible problem: When the servers send to the multicast address, Switch 2 floods the packet out all ports because it doesn't know which port to use. Your original question was whether you could hard code a CAM entry for the multicast address on Switch 2 for the port that acts as a trunk to Switch 1. Your goal for doing this is to make the multicast only flow over to that port. I think that would work!? Did you try it? The other solutions that might work are IGMP snooping, CGMP, or just a better arrangement of VLANs so that the switch forwards more appropriately. You should also ask yourself whether this flooding is really a problem, however. Does it use much bandwidth? Probably not? (What are the servers sending to the firewall?) Does it disturb the recipients who incorrectly receive it? Probably not. If they are using good NICs, the NIC will know that the host didn't register to receive the multicast and trash it, without disturbing the CPU of the host. In a previous message, you send us to a URL that showed duplicate multicasts arriving because of a loop. Is that really what's happening? It's not what you seem to be saying in this message. If it is happening, then that is a serious problem. You need to avoid a loop by fixing either the physical or logical topology with properly formed LANs or VLANs. Priscilla Hitesh Pathak R wrote: Pls see inline text for answers. regds Hitesh -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 04, 2003 4:02 AM To: [EMAIL PROTECTED] Subject: Re: Catalyst 6xxx switches and 2 firewall in clust [7:60235] Can you help us understand the situation better? Thanks. See some questions inline. l0stbyte wrote: Hitesh Pathak R wrote: Dear Group, Need your help in setting up the following :- SETUP :- There are 2 core switches SW1 Sw2 (connected back to back with both the SUP GE ports Fiber uplink (Channeld and trunk). On one of the switch (SW1) I have 2 firewalls connected in cluster mode. For this clustered firewall I have bind the multicast mac address on the switch SW1 as the recommended method by the firewall vendor by the command (set cam permanent ). On SW1, you have a permanent cam entry