PIX - loss of connection to it - and stopping peer to peer

Discussion in 'Cisco' started by barret bonden, Oct 22, 2006.

  1. A new PIX Version 6.3(5) I get random loss of connectivity to it ; ping
    and telnet refused, (from a PC directly into one if it's ports ) ; during
    this time console is fine and syslog shows other users working; and of
    course I cant get on the web - these other users will later report the same
    issues. 8 PC's on the LAN. I clear xlate and the arp table all to no avail.

    Is this due to connection limits on the PIX ? I read in Richard Deals
    book that the 501 limits use based on the number of PC's it sees; I
    assume this translates to ARP tables ?

    Practically it seems, so far, that the number of connections as reported in
    "sh conn count" is the relevant issue( I cant get on when this number gets
    high) ; but, oddly , I see reports of well over 40 , with many more idle; so
    what is the limiting factor, devices on the lan pointing to the PIX's inside
    or the connections in use ? And would this even be the cause of telnets
    being refused ?



    The larger issue here is this is the same general symptom experienced with
    a D-Link 604 which the PIX replaced. We were getting hit by lots of
    peer-to-peer looking connections (using the Limewire port) which I blocked
    with the D-link's "firewall" feature. Most users could never get to the web
    when the Dlink's log showed large numbers of denials with this port.

    I've attempted to stop these processes with a series of access-lists ,
    which brings me to my other question ; how best to use the PIX to stop peer
    to peer ? I tired this:

    access-list bs deny tcp any any eq 3646

    which seems to work as I see in the logs - also ; I don't understand that
    when I add a similar command to an inside access-group I seem to stop more
    communication than I'd like ...





    ------------------

    pixfirewall# sh conn count

    32 in use, 138 most used

    pixfirewall# sh conn count

    36 in use, 138 most used

    pixfirewall# sh conn count

    -----------------------------------

    Cisco PIX Firewall Version 6.3(5)
    Cisco PIX Device Manager Version 3.0(4)

    Compiled on Thu 04-Aug-05 21:40 by morlee

    pixfirewall up 2 hours 18 mins

    Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
    Flash E28F640J3 @ 0x3000000, 8MB
    BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

    0: ethernet0: address is 0016.9dda.e63e, irq 9
    1: ethernet1: address is 0016.9dda.e63f, irq 10
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces: 2
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: 10
    Throughput: Unlimited
    IKE peers: 10

    This PIX has a Restricted (R) license.

    Serial Number: 810193105 (0x304a90d1)
    Running Activation Key: 0x49f008db 0xd09fdf38 0x9b9c0e6e 0x2ac6f9fc
    Configuration last modified by enable_15 at 09:59:02.990 UTC Sun Oct 22 2006


    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password RKu3p1CF3TrlG1v9 encrypted
    passwd FRou7zzj.tp5/Po3 encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list bs deny tcp any any eq 3646
    access-list bs deny tcp any any eq 3260
    access-list bs deny tcp any any eq 3266
    access-list bs deny tcp any any eq 34927
    access-list bs deny tcp any any eq 65420
    access-list bs deny tcp any any eq 8820
    access-list bs deny tcp any any eq 6346
    access-list bs deny tcp any any eq 26768
    access-list bs deny tcp any any eq 1035
    access-list bs deny tcp any any eq 1129
    access-list bs deny tcp any any eq 1038
    access-list bs deny tcp any any eq 1170
    access-list bs deny tcp any any eq 3486
    pager lines 24
    logging on
    logging trap debugging
    logging host inside 192.168.0.3
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.0.1 255.255.255.0
    ip audit name checkit info action alarm
    ip audit interface outside checkit
    ip audit attack action reset
    pdm location 192.168.0.118 255.255.255.255 inside
    pdm location 192.168.1.2 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group bs in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.0.118 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.0.100-192.168.0.131 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:35ec9e8be0c77b2a48588b5dea71f0bf
    : end
     
    barret bonden, Oct 22, 2006
    #1
    1. Advertising

  2. "barret bonden" <> wrote in message
    news:LaP_g.24$...
    > A new PIX Version 6.3(5) I get random loss of connectivity to it ; ping
    > and telnet refused, (from a PC directly into one if it's ports ) ; during
    > this time console is fine and syslog shows other users working; and of
    > course I cant get on the web - these other users will later report the
    > same issues. 8 PC's on the LAN. I clear xlate and the arp table all to no
    > avail.
    >
    > Is this due to connection limits on the PIX ? I read in Richard Deals
    > book that the 501 limits use based on the number of PC's it sees; I
    > assume this translates to ARP tables ?
    >
    > Practically it seems, so far, that the number of connections as reported
    > in "sh conn count" is the relevant issue( I cant get on when this number
    > gets high) ; but, oddly , I see reports of well over 40 , with many more
    > idle; so what is the limiting factor, devices on the lan pointing to the
    > PIX's inside or the connections in use ? And would this even be the cause
    > of telnets being refused ?
    >


    Do you get "license limit of 10 exceeded" in your syslog ?
    If so, that is your answer.

    HTH
    Martin
     
    Martin Bilgrav, Oct 22, 2006
    #2
    1. Advertising

  3. "Martin Bilgrav" <> wrote in message
    news:LjS_g.777$2net.dk...

    >>

    >
    > Do you get "license limit of 10 exceeded" in your syslog ?
    > If so, that is your answer.
    >
    > HTH
    > Martin
    >
    >


    Also:

    pix501# sho local
    Interface inside: 3 active, 9 maximum active, 0 denied

    Will tell you if you have exceeded your limit. (the denied will inrease in
    count)
     
    Martin Bilgrav, Oct 22, 2006
    #3
  4. In article <LaP_g.24$>,
    barret bonden <> wrote:
    > A new PIX Version 6.3(5) I get random loss of connectivity to it ; ping
    >and telnet refused, (from a PC directly into one if it's ports ) ; during
    >this time console is fine and syslog shows other users working; and of
    >course I cant get on the web - these other users will later report the same
    >issues. 8 PC's on the LAN. I clear xlate and the arp table all to no avail.


    > Is this due to connection limits on the PIX ? I read in Richard Deals
    >book that the 501 limits use based on the number of PC's it sees; I
    >assume this translates to ARP tables ?


    No, it isn't ARP tables.
    http://groups.google.ca/group/comp....hread/thread/38bf6ef94ac77f5/57c0825c8396fa88
     
    Walter Roberson, Oct 22, 2006
    #4
  5. Read your post in google groups, Walter; got it - and thank you.

    One the subject of stopping peer to peer processes; how might one do that
    with a PIX ? is my experiment with an access list on track ?



    As in



    access-list bs deny tcp any any eq 6346

    access-group bs in interface outside



    "Walter Roberson" <> wrote in message
    news:tHS_g.174781$5R2.73338@pd7urf3no...
    > In article <LaP_g.24$>,
    > barret bonden <> wrote:
    >> A new PIX Version 6.3(5) I get random loss of connectivity to it ; ping
    >>and telnet refused, (from a PC directly into one if it's ports ) ; during
    >>this time console is fine and syslog shows other users working; and of
    >>course I cant get on the web - these other users will later report the
    >>same
    >>issues. 8 PC's on the LAN. I clear xlate and the arp table all to no
    >>avail.

    >
    >> Is this due to connection limits on the PIX ? I read in Richard Deals
    >>book that the 501 limits use based on the number of PC's it sees; I
    >>assume this translates to ARP tables ?

    >
    > No, it isn't ARP tables.
    > http://groups.google.ca/group/comp....hread/thread/38bf6ef94ac77f5/57c0825c8396fa88
     
    barret bonden, Oct 23, 2006
    #5
  6. In article <cdV_g.142$>,
    barret bonden <> wrote:
    > Read your post in google groups, Walter; got it - and thank you.


    >One the subject of stopping peer to peer processes; how might one do that
    >with a PIX ?


    Upgrade to PIX 7 or a Cisco ASA and use the more advanced inspection
    capabilities, or switch to a Cisco IOS router with NBAR.

    >is my experiment with an access list on track ?


    >access-list bs deny tcp any any eq 6346


    Yes, no, sort of. The P2P software that uses fixed port numbers can
    often be blocked by blocking the master IP addresses instead
    (thus not allowing people to access the coordinating nodes.) But
    any modern P2P software uses varying port numbers and uses named
    hosts internally and alters the DNS addresses. Some of it will
    literally port-scan hosts, knocking on every port in hopes of finding
    a node living there. Some of it uses zombie PCs -- residential PCs
    that have been taken over without the owner's knowledge (possibly
    via a virus.)

    To control P2P, you should permit connections *only* to those
    hosts and ports that you *really* need (e.g., your business partners,
    your mail servers, your Usenet server), and block *everything* else
    until it can be proven innocent. But that can be a lot of work
    if your users have a lot of valid places to visit, so at that point
    you need to start using something between which inspects the traffic
    and ensures that it matches the official protocols for the ports
    permitted through. But -anything- can be tunneled over http...
     
    Walter Roberson, Oct 23, 2006
    #6
  7. Walter:



    The connection problems (dropped telnets, a LAN with less than 10 machines
    but people unable to get on until I cleared xlates and arp tables or just
    pulled plugs) was diagnosed today by TAC as a hardware issue; I got an RMA
    and a quote from TAC that said in essence "the license is for 10 computers"
    and "you're right sir ; it's the number of machines in the ARP table that
    defines the limit; having nothing to do with connections. A 10 user license
    allows 10 computers to communicate through the pix in anyway" - or so I
    understood.

    TAC also went on to say that he's seen this a number of time prior....

    ?
    Thought you'd find it interesting .... just more of a puzzle ....








    "Walter Roberson" <> wrote in message
    news:tHS_g.174781$5R2.73338@pd7urf3no...
    > In article <LaP_g.24$>,
    > barret bonden <> wrote:
    >> A new PIX Version 6.3(5) I get random loss of connectivity to it ; ping
    >>and telnet refused, (from a PC directly into one if it's ports ) ; during
    >>this time console is fine and syslog shows other users working; and of
    >>course I cant get on the web - these other users will later report the
    >>same
    >>issues. 8 PC's on the LAN. I clear xlate and the arp table all to no
    >>avail.

    >
    >> Is this due to connection limits on the PIX ? I read in Richard Deals
    >>book that the 501 limits use based on the number of PC's it sees; I
    >>assume this translates to ARP tables ?

    >
    > No, it isn't ARP tables.
    > http://groups.google.ca/group/comp....hread/thread/38bf6ef94ac77f5/57c0825c8396fa88
     
    barret bonden, Oct 26, 2006
    #7
  8. In article <0dU%g.582$>,
    barret bonden <> wrote:

    >Walter:


    > The connection problems (dropped telnets, a LAN with less than 10 machines
    >but people unable to get on until I cleared xlates and arp tables or just
    >pulled plugs) was diagnosed today by TAC as a hardware issue;


    Yah, that can happen, especially if the power supply connector is loose.

    >I got an RMA
    >and a quote from TAC that said in essence "the license is for 10 computers"
    >and "you're right sir ; it's the number of machines in the ARP table that
    >defines the limit; having nothing to do with connections. A 10 user license
    >allows 10 computers to communicate through the pix in anyway" - or so I
    >understood.


    I'm -sure- the license limit isn't based upon the ARP tables: it is
    based upon the number of host containers, and host containers are a
    function of xlates. If a host pings the pix or connects to to it
    for management purposes, then no host container is built. I've traced
    through quite enough log entries to be have seen the triggers.

    If the TAC employee said it was based upon the ARP entries, then
    the TAC employee was wrong.

    (If the implication of that is that I believe I know the PIX better
    than that TAC does... well, that wouldn't be inconsistant with my
    experiences with the first-level of TAC.)
     
    Walter Roberson, Oct 26, 2006
    #8
  9. Thought so.
    Many thanks.


    "Walter Roberson" <> wrote in message
    news:0fV%g.192120$5R2.12723@pd7urf3no...
    > In article <0dU%g.582$>,
    > barret bonden <> wrote:
    >
    >>Walter:

    >
    >> The connection problems (dropped telnets, a LAN with less than 10
    >> machines
    >>but people unable to get on until I cleared xlates and arp tables or just
    >>pulled plugs) was diagnosed today by TAC as a hardware issue;

    >
    > Yah, that can happen, especially if the power supply connector is loose.
    >
    >>I got an RMA
    >>and a quote from TAC that said in essence "the license is for 10
    >>computers"
    >>and "you're right sir ; it's the number of machines in the ARP table that
    >>defines the limit; having nothing to do with connections. A 10 user
    >>license
    >>allows 10 computers to communicate through the pix in anyway" - or so I
    >>understood.

    >
    > I'm -sure- the license limit isn't based upon the ARP tables: it is
    > based upon the number of host containers, and host containers are a
    > function of xlates. If a host pings the pix or connects to to it
    > for management purposes, then no host container is built. I've traced
    > through quite enough log entries to be have seen the triggers.
    >
    > If the TAC employee said it was based upon the ARP entries, then
    > the TAC employee was wrong.
    >
    > (If the implication of that is that I believe I know the PIX better
    > than that TAC does... well, that wouldn't be inconsistant with my
    > experiences with the first-level of TAC.)
     
    barret bonden, Oct 26, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QmlsbEM=?=

    peer to peer linking and sharing

    =?Utf-8?B?QmlsbEM=?=, Aug 23, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    709
    =?Utf-8?B?QmlsbEM=?=
    Aug 23, 2004
  2. =?Utf-8?B?TWFyaWFuSA==?=

    Peer to Peer Connection using ICQ

    =?Utf-8?B?TWFyaWFuSA==?=, Dec 27, 2004, in forum: Wireless Networking
    Replies:
    5
    Views:
    2,395
    anjeepsolution
    Sep 30, 2008
  3. esara
    Replies:
    0
    Views:
    817
    esara
    May 19, 2004
  4. shawn1
    Replies:
    2
    Views:
    1,546
    Toolman Tim
    Aug 8, 2004
  5. Chino
    Replies:
    0
    Views:
    449
    Chino
    Oct 4, 2006
Loading...

Share This Page