Cisco PIX 515 UR - From where comes the traffic??

Discussion in 'Cisco' started by Tobias Korb, Dec 14, 2004.

  1. Tobias Korb

    Tobias Korb Guest

    Hello together,

    I have a PIX 515 UR and I have a lot of traffic on the outside interface.
    How can I check:
    - where is the traffic from
    - what kind of traffic ist ist (ports for example 25 = smtp)

    best regards,
    Tobi
     
    Tobias Korb, Dec 14, 2004
    #1
    1. Advertising

  2. In article <cpn3g4$eto$03$-online.com>,
    Tobias Korb <> wrote:
    :I have a PIX 515 UR and I have a lot of traffic on the outside interface.
    :How can I check:
    :- where is the traffic from
    :- what kind of traffic ist ist (ports for example 25 = smtp)

    There is no summary accounting available in the PIX itself, so you
    will have to use one of the other possibilities:

    1) debug packet outside and watch the packets to see what's flowing
    through. This is not recommended on a production system!!!

    2) In PIX 6.3, you can set up a 'capture' to keep a copy of
    a representative set of packets, and then examine the packets
    afterwards. This would normally be used for debugging tricky
    issues. It isn't as hard on the PIX as using the 'debug' command,
    but it isn't designed for what you are looking for either.

    3) Turn your logging level up to 6 and examine the logs.
    logging buffered will keep roughly the last 40 syslog messages,
    which usually isn't enough to really get a feel for what the traffic
    is. You would thus normally turn on syslog on a host, configure
    the PIX with logging host to tell it to send logs to that host,
    and then configure logging trap 6 to tell it to send severity 6
    and more important messages to the syslog server. Then on the
    syslog server, examine the log produced. The log will have
    IP addresses and ports.


    If you are running a PIX for a corporate IP block, likely
    a *lot* of the traffic is automated (and random) attempts to
    take over your computers by using known exploits (e.g.,
    "malformed packet to any of half a dozen ports will allow
    an intruder to take control of your Windows machine"). These packets
    will seldom be "personal" attacks: they just scan -everything-
    and hope to get lucky.

    A noticable number of the packets (but far less than the above)
    will be scans looking for open smtp ports that can be used either
    to relay spam to other services, or to just send spam to a dictionary
    of possible usernames at the host in hopes that the spam will get
    read by -someone-.

    One problem that is on the increase is that there are automated
    tools that scan for ssh ports and then try dictionary attacks
    against known usernames and potential passwords. If you are running
    an ssh server, make sure that your users have good passwords,
    especially if their name happens to be 'root' or 'guest'.
    --
    Oh, to be a Blobel!
     
    Walter Roberson, Dec 14, 2004
    #2
    1. Advertising

  3. Tobias Korb

    jarcar Guest

    Tobias Korb napisał(a):
    > Hello together,
    >
    > I have a PIX 515 UR and I have a lot of traffic on the outside interface.
    > How can I check:
    > - where is the traffic from
    > - what kind of traffic ist ist (ports for example 25 = smtp)
    >

    show conn

    regards
     
    jarcar, Dec 15, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. alex
    Replies:
    16
    Views:
    6,349
    Walter Roberson
    Nov 3, 2003
  2. Arjan
    Replies:
    0
    Views:
    904
    Arjan
    Nov 2, 2005
  3. Scott Townsend
    Replies:
    8
    Views:
    705
    Roman Nakhmanson
    Feb 22, 2006
  4. Scott Townsend

    PIX 515 to PIX 515e not passing traffic

    Scott Townsend, May 10, 2006, in forum: Cisco
    Replies:
    6
    Views:
    3,739
    Vikas
    May 25, 2006
  5. Stephen M
    Replies:
    1
    Views:
    664
    mcaissie
    Nov 14, 2006
Loading...

Share This Page