RE: Cisco Pix UDP Built

["John Canty" <John.Canty () Vibro-Meter com>]

not too sure here but it's a stab at it.
The gaddr should be on the same subnet as the initiating connection.
Like I said, I really don't know the pix I handle I have shut off most
of the logging except for the warnings and critical faults. In order to
prevent from some serious violations of it's integrity, I change
passwords on a weekly basis.

//John

-----Original Message-----
From: Amodiovalerio Verde [mailto:amodiovalerio.verde () ags-it com] 
Sent: Wednesday, June 18, 2003 9:15 AM
To: security-basics () securityfocus com
Subject: Cisco Pix UDP Built




Hi all,



I'm writing a tool to manage and analyze the logs coming from Cisco Pix 

and module FWSM.



All the logs are sent to a syslog server to collect and analyze them in 

realtime.



I've a problem with a PIX message I couldn't understand the behaviour.



The message is the %PIX|FWSM-6-302005 and it is related to a Build 

connection...the format is



Built UDP connection for faddr 1.1.1.1/1 gaddr 2.2.2.2/2 laddr 3.3.3.3/3



The problem is that I cannot be sure of the direction of the connection,


i.e. I don't know if it was the faddr opening a connection to laddr, or 

viceversa.



Cisco Pix seems just to ignore the direction of the connection ( that in


the TCP Build is specified as inbound or outbound ).



Can anybody give me some clue about this behaviour ? it's a pix 'limit'
?



Thanks in advance



Amodiovalerio Verde

------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts! The Gartner Group just put Neoteris in the top of its Magic
Quadrant, while InStat has confirmed Neoteris as the leader in
marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in about an hour, with no client, server changes, or ongoing
maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------