RE: where should I start? help!

["ALLEN, DONALD S (AIT)" <da1295 () sbc com>]

Show Conns or show conns? 
Show Xlate or show xlate? 

And using the PDM web module are ways to get Pix information without a
sniffer. 

 

-----Original Message-----
From: Jane Han [mailto:janehan22 () yahoo com] 
Sent: Thursday, July 24, 2003 9:08 AM
To: Ben Hicks; security-basics () securityfocus com; Gregory_DeGennaro () csaa com
Cc: security-basics () securityfocus com
Subject: RE: where should I start? help!


Thanks for all help.  If I want to find all traffic on
the PIX internal interface, what should I do?  using
sniffer?  How do I position the sniffer?  How can I
span port on the PIX or I have to do spanning on the
switch?

Any suggestions or help will be highly appreciated.


switch ---PIX---external router

The exernal router serial interface status as follows: Serial0/0 is up, line
protocol is up
  Hardware is DSCC4 Serial
  Internet address is a.b.c.d/30
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 24/255, rxload
235/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:05, output 00:00:01, output hang
never
  Last clearing of "show interface" counters 1d23h
  Input queue: 0/75/0/0 (size/max/drops/flushes);
Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  30 second input rate 1424000 bits/sec, 230
packets/sec
  30 second output rate 147000 bits/sec, 161
packets/sec
     16859032 packets input, 2850828712 bytes, 0 no
buffer
     Received 17055 broadcasts, 0 runts, 0 giants, 0
throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0
ignored, 0 abort
     13720059 packets output, 3084799197 bytes, 0
underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers
swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up


Thanks in advance,

Jane
--- Ben Hicks <ben () sequenced net> wrote:
> Hmm, So the firewall is performing the nat then.
>
> Just out of interest, what is the firewall doing?
> does it have any access
> lists on it ?
>
> Thanks,
>
> Ben
>
>
>
> -----Original Message-----
> From: Jane Han [mailto:janehan22 () yahoo com]
> Sent: 15 July 2003 16:20
> To: Ben Hicks; security-basics () securityfocus com
> Subject: RE: where should I start? help!
>
>
> Ben,
>
> I appreciate your answer.  I enabled the IP
> accounting
> and the IP accounting only shows the destination
> address as public address (NAT).  Is there a way
> that
> I can trace this public IP address (NAT) to
> the internal private IP address?
>
> Thanks,
>
> Jane
>
> --- Ben Hicks <ben () sequenced net> wrote:
> > The interface is very heavily utilised on the
> > receiving of information - i.e
> > persons downloading.
> >
> > Your interface (at the time of the snapshit) was
> > very heavily utilised.
> > 188/255 RX suggest that your link is about 75%
> > utilised, which is very high.
> >
> > There are of course many other things that could
> be
> > attirbuting to the
> > problem, but I would start here.
> >
> > You could perhaps enable ip accounting to find out
> > which IP addresses are
> > accessing the most amount of information.
> >
> > HTH
> >
> > Ben.
> >
> > -----Original Message-----
> > From: Jane Han [mailto:janehan22 () yahoo com]
> > Sent: 08 July 2003 15:41
> > To: security-basics () securityfocus com
> > Subject: where should I start? help!
> >
> >
> > Hi, all
> >
> > I am relatively new to this field.  We have full
> T1
> > but the internet speed is very slow.
> > Sometimes it's even slower than dial-up speed when downloading 
> > files.
> >       E1     E0    E0               s0
> > Switch ---   PIX ------Cisco 2600
> > Router------Internet
> >
> > (E1 and E0 are Ethernet Interface and S0 is serial
> > interface) (please see the following status on s0)
> >
> > Serial0/0 is up, line protocol is up
> >   Hardware is QUICC Serial
> >   Internet address is X.X.X.X/30
> >   MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec,
> >      reliability 255/255, txload 26/255, rxload
> > 188/255
> >   Encapsulation HDLC, loopback not set
> >   Keepalive set (10 sec)
> >   Last input 00:00:02, output 00:00:00, output
> hang
> > never
> >   Last clearing of "show interface" counters never
> >   Input queue: 0/75/9199/0
> (size/max/drops/flushes);
> > Total output drops: 3307
> >   Queueing strategy: weighted fair
> >   Output queue: 0/1000/64/3307 (size/max
> > total/threshold/drops)
> >      Conversations  0/57/256 (active/max
> active/max
> > total)
> >      Reserved Conversations 0/0 (allocated/max
> > allocated)
> >   30 second input rate 1510000 bits/sec, 235
> > packets/sec
> >   30 second output rate 214000 bits/sec, 173
> > packets/sec
> >      76598509 packets input, 1523011153 bytes, 0
> no
> > buffer
> >      Received 104544 broadcasts, 0 runts, 0
> giants,
> > 0
> > throttles
> >      1 input errors, 0 CRC, 1 frame, 0 overrun, 0
> > ignored, 0 abort
> >      66685034 packets output, 4044743843 bytes, 0
> > underruns
> >      0 output errors, 0 collisions, 1 interface
> > resets
> >      0 output buffer failures, 0 output buffers
> > swapped out
> >      0 carrier transitions
> >      DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
> >
> > I checked the S0 interface status on the internet
> > router.  What info does the above indicate?
> > What does input and output packets mean in case
> > internal users download files from internet?
> >
> > I really do not know how to find out where all
> > traffic
> > are from?  I bet there are lots of downloads
> > from internet.  Where should I start?
> >
> > BTW, we have one block class C public address.
> But
> > the PIX only use 30 for NAT and one
> > global pool address:
> > global (outside) 1 x.x1.x2.201-x.x1.x2.230
> > global (outside) 1 x.x1.x2.200
> >
> > Could this cause the slowness on internet speed
> > also?
> >
> > Thanks in advance,
> >
> > Jane
> >
> > __________________________________
> > Do you Yahoo!?
> > SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
---------------------------------------------------------------------------
> > Evaluating SSL VPNs' Consider NEOTERIS, chosen as
> > leader by top analysts!
> > The Gartner Group just put Neoteris in the top of
> > its Magic Quadrant,
> > while InStat has confirmed Neoteris as the leader
> in
> > marketshare.
> >
> > Find out why, and see how you can get plug-n-play
> > secure remote access in
> > about an hour, with no client, server changes, or
> > ongoing maintenance.
> >
> > Visit us at:
> > http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
> >
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as
> leader by top analysts!
> The Gartner Group just put Neoteris in the top of
> its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in
> marketshare.
>
> Find out why, and see how you can get plug-n-play
> secure remote access in
> about an hour, with no client, server changes, or
> ongoing maintenance.
>
> Visit us at:
> http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
>


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------