Security Basics mailing list archives
RE: where should I start? help!
From: "DeGennaro, Gregory" <Gregory_DeGennaro () csaa com>
Date: Thu, 24 Jul 2003 08:30:30 -0700
Your rxload is still high, did you apply ip route-cache to serial 0/0? The sniffer will be spanned off your switch. Regards, Greg DeGennaro Jr., CCNP Security Analyst -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: Thursday, July 24, 2003 7:08 AM To: Ben Hicks; security-basics () securityfocus com; Gregory_DeGennaro () csaa com Cc: security-basics () securityfocus com Subject: RE: where should I start? help! Thanks for all help. If I want to find all traffic on the PIX internal interface, what should I do? using sniffer? How do I position the sniffer? How can I span port on the PIX or I have to do spanning on the switch? Any suggestions or help will be highly appreciated. switch ---PIX---external router The exernal router serial interface status as follows: Serial0/0 is up, line protocol is up Hardware is DSCC4 Serial Internet address is a.b.c.d/30 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 24/255, rxload 235/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:05, output 00:00:01, output hang never Last clearing of "show interface" counters 1d23h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/100 (size/max) 30 second input rate 1424000 bits/sec, 230 packets/sec 30 second output rate 147000 bits/sec, 161 packets/sec 16859032 packets input, 2850828712 bytes, 0 no buffer Received 17055 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 13720059 packets output, 3084799197 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Thanks in advance, Jane --- Ben Hicks <ben () sequenced net> wrote:
Hmm, So the firewall is performing the nat then. Just out of interest, what is the firewall doing? does it have any access lists on it ? Thanks, Ben -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: 15 July 2003 16:20 To: Ben Hicks; security-basics () securityfocus com Subject: RE: where should I start? help! Ben, I appreciate your answer. I enabled the IP accounting and the IP accounting only shows the destination address as public address (NAT). Is there a way that I can trace this public IP address (NAT) to the internal private IP address? Thanks, Jane --- Ben Hicks <ben () sequenced net> wrote:The interface is very heavily utilised on the receiving of information - i.e persons downloading. Your interface (at the time of the snapshit) was very heavily utilised. 188/255 RX suggest that your link is about 75% utilised, which is very high. There are of course many other things that couldbeattirbuting to the problem, but I would start here. You could perhaps enable ip accounting to find out which IP addresses are accessing the most amount of information. HTH Ben. -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: 08 July 2003 15:41 To: security-basics () securityfocus com Subject: where should I start? help! Hi, all I am relatively new to this field. We have fullT1but the internet speed is very slow. Sometimes it's even slower than dial-up speed when downloading files. E1 E0 E0 s0 Switch --- PIX ------Cisco 2600 Router------Internet (E1 and E0 are Ethernet Interface and S0 is serial interface) (please see the following status on s0) Serial0/0 is up, line protocol is up Hardware is QUICC Serial Internet address is X.X.X.X/30 MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec, reliability 255/255, txload 26/255, rxload 188/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:02, output 00:00:00, outputhangnever Last clearing of "show interface" counters never Input queue: 0/75/9199/0(size/max/drops/flushes);Total output drops: 3307 Queueing strategy: weighted fair Output queue: 0/1000/64/3307 (size/max total/threshold/drops) Conversations 0/57/256 (active/maxactive/maxtotal) Reserved Conversations 0/0 (allocated/max allocated) 30 second input rate 1510000 bits/sec, 235 packets/sec 30 second output rate 214000 bits/sec, 173 packets/sec 76598509 packets input, 1523011153 bytes, 0nobuffer Received 104544 broadcasts, 0 runts, 0giants,0 throttles 1 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort 66685034 packets output, 4044743843 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up I checked the S0 interface status on the internet router. What info does the above indicate? What does input and output packets mean in case internal users download files from internet? I really do not know how to find out where all traffic are from? I bet there are lots of downloads from internet. Where should I start? BTW, we have one block class C public address.Butthe PIX only use 30 for NAT and one global pool address: global (outside) 1 x.x1.x2.201-x.x1.x2.230 global (outside) 1 x.x1.x2.200 Could this cause the slowness on internet speed also? Thanks in advance, Jane __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leaderinmarketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
__________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: where should I start? help! DeGennaro, Gregory (Jul 24)
- <Possible follow-ups>
- RE: where should I start? help! Jane Han (Jul 24)
- RE: where should I start? help! DeGennaro, Gregory (Jul 24)
- RE: where should I start? help! ALLEN, DONALD S (AIT) (Jul 24)
- RE: where should I start? help! Jane Han (Jul 24)
- RE: where should I start? help! Jane Han (Jul 25)
- Re: where should I start? help! Jude Naidoo (Jul 28)
- RE: where should I start? help! David Gillett (Jul 28)
- RE: where should I start? help! DeGennaro, Gregory (Jul 28)
- RE: where should I start? help! DeGennaro, Gregory (Jul 28)