RE: Cisco Pix UDP Built

[James Fields <jvfields () tds net>]

faddr is a "foreign address" or "outside" machine.  gaddr is a "global
address" which is basically a NAT address.  laddr is a "local address"
which is being protected behind the global/NAT address.  The message
format generally puts the source first, then the destination.  Cisco's
web site has PDF documents listing every Pix syslog message with format
and explanations;  however Cisco changes the format and sometimes the
syslog numbering for various messages.  For example, the standard
"built/teardown a TCP/UDP" connection messages actually changes numbers
between PIX code 6.1 and 6.2,  which is annoying for people who use
products such as the one you're trying to create.

On Wed, 2003-06-18 at 13:07, Mann, Bobby wrote:
>  Hi Verde,
>
> You know in my opinion Cisco has one of the best support sites in the world.
> I don't believe there is a single product that can't be deployed using only
> their website.
>
>
> Example of what you asked for:
>
> Log Message %PIX-6-302005: Built UDP connection for faddr IP_addr/port gaddr
> IP_addr/port laddr IP_addr/port
>
> Explanation   This is a connection-related message. This message is logged
> when a UDP connection is started to foreign address faddr using the global
> address gaddr from local address laddr.
>
> http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_messag
> e_guide_chapter09186a00800896b2.html
>
>
>
> -----Original Message-----
> From: Amodiovalerio Verde
> To: security-basics () securityfocus com
> Sent: 6/18/03 7:14 AM
> Subject: Cisco Pix UDP Built
>
>
>
> Hi all,
>
>
>
> I'm writing a tool to manage and analyze the logs coming from Cisco Pix 
>
> and module FWSM.
>
>
>
> All the logs are sent to a syslog server to collect and analyze them in 
>
> realtime.
>
>
>
> I've a problem with a PIX message I couldn't understand the behaviour.
>
>
>
> The message is the %PIX|FWSM-6-302005 and it is related to a Build 
>
> connection...the format is
>
>
>
> Built UDP connection for faddr 1.1.1.1/1 gaddr 2.2.2.2/2 laddr 3.3.3.3/3
>
>
>
> The problem is that I cannot be sure of the direction of the connection,
>
>
> i.e. I don't know if it was the faddr opening a connection to laddr, or 
>
> viceversa.
>
>
>
> Cisco Pix seems just to ignore the direction of the connection ( that in
>
>
> the TCP Build is specified as inbound or outbound ).
>
>
>
> Can anybody give me some clue about this behaviour ? it's a pix 'limit'
> ?
>
>
>
> Thanks in advance
>
>
>
> Amodiovalerio Verde
>
> ------------------------------------------------------------------------
> ---
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
> analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure remote access
> in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ------------------------------------------------------------------------
> ----
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------
-- 
----------------
jvfields () tds net


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------