Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: where should I start? help!

From: Jane Han <janehan22 () yahoo com>
Date: Fri, 25 Jul 2003 07:52:44 -0700 (PDT)
Thank you so much for all your help.  Finally, I found
the problem.  many streaming radio or video using port
554.

If I want to block all streamimg radio or video on the
PIX,

can I use access-list 100 deny tcp any any eq 554
          access-list 100 deny udp any any eq 554

Any other suggestions or concerns?

Thanks again,

Jane


--- "ALLEN, DONALD S (AIT)" <da1295 () sbc com> wrote:

Show Conns or show conns? 
Show Xlate or show xlate? 

And using the PDM web module are ways to get Pix
information without a
sniffer. 

 

-----Original Message-----
From: Jane Han [mailto:janehan22 () yahoo com] 
Sent: Thursday, July 24, 2003 9:08 AM
To: Ben Hicks; security-basics () securityfocus com;
Gregory_DeGennaro () csaa com
Cc: security-basics () securityfocus com
Subject: RE: where should I start? help!


Thanks for all help.  If I want to find all traffic
on
the PIX internal interface, what should I do?  using
sniffer?  How do I position the sniffer?  How can I
span port on the PIX or I have to do spanning on the
switch?

Any suggestions or help will be highly appreciated.


switch ---PIX---external router

The exernal router serial interface status as
follows: Serial0/0 is up, line
protocol is up
  Hardware is DSCC4 Serial
  Internet address is a.b.c.d/30
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 24/255, rxload
235/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:05, output 00:00:01, output hang
never
  Last clearing of "show interface" counters 1d23h
  Input queue: 0/75/0/0 (size/max/drops/flushes);
Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  30 second input rate 1424000 bits/sec, 230
packets/sec
  30 second output rate 147000 bits/sec, 161
packets/sec
     16859032 packets input, 2850828712 bytes, 0 no
buffer
     Received 17055 broadcasts, 0 runts, 0 giants, 0
throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0
ignored, 0 abort
     13720059 packets output, 3084799197 bytes, 0
underruns
     0 output errors, 0 collisions, 0 interface
resets
     0 output buffer failures, 0 output buffers
swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up


Thanks in advance,

Jane
--- Ben Hicks <ben () sequenced net> wrote:

Hmm, So the firewall is performing the nat then.

Just out of interest, what is the firewall doing?
does it have any access
lists on it ?

Thanks,

Ben



-----Original Message-----
From: Jane Han [mailto:janehan22 () yahoo com]
Sent: 15 July 2003 16:20
To: Ben Hicks; security-basics () securityfocus com
Subject: RE: where should I start? help!


Ben,

I appreciate your answer.  I enabled the IP
accounting
and the IP accounting only shows the destination
address as public address (NAT).  Is there a way
that
I can trace this public IP address (NAT) to
the internal private IP address?

Thanks,

Jane

--- Ben Hicks <ben () sequenced net> wrote:

The interface is very heavily utilised on the
receiving of information - i.e
persons downloading.

Your interface (at the time of the snapshit) was
very heavily utilised.
188/255 RX suggest that your link is about 75%
utilised, which is very high.

There are of course many other things that could

be

attirbuting to the
problem, but I would start here.

You could perhaps enable ip accounting to find

out

which IP addresses are
accessing the most amount of information.

HTH

Ben.

-----Original Message-----
From: Jane Han [mailto:janehan22 () yahoo com]
Sent: 08 July 2003 15:41
To: security-basics () securityfocus com
Subject: where should I start? help!


Hi, all

I am relatively new to this field.  We have full

T1

but the internet speed is very slow.
Sometimes it's even slower than dial-up speed

when downloading 

files.
    E1     E0    E0               s0
Switch ---   PIX ------Cisco 2600
Router------Internet

(E1 and E0 are Ethernet Interface and S0 is

serial

interface) (please see the following status on

s0)


Serial0/0 is up, line protocol is up
  Hardware is QUICC Serial
  Internet address is X.X.X.X/30
  MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec,
     reliability 255/255, txload 26/255, rxload
188/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:02, output 00:00:00, output

hang

never
  Last clearing of "show interface" counters

never

  Input queue: 0/75/9199/0

(size/max/drops/flushes);

Total output drops: 3307
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/3307 (size/max
total/threshold/drops)
     Conversations  0/57/256 (active/max

active/max

total)
     Reserved Conversations 0/0 (allocated/max
allocated)
  30 second input rate 1510000 bits/sec, 235
packets/sec
  30 second output rate 214000 bits/sec, 173
packets/sec
     76598509 packets input, 1523011153 bytes, 0

no

buffer
     Received 104544 broadcasts, 0 runts, 0

giants,

0
throttles
     1 input errors, 0 CRC, 1 frame, 0 overrun,

0

ignored, 0 abort
     66685034 packets output, 4044743843 bytes,

0

underruns
     0 output errors, 0 collisions, 1 interface
resets
     0 output buffer failures, 0 output buffers
swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

I checked the S0 interface status on the

internet


=== message truncated ===


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: