Security Basics mailing list archives
RE: where should I start? help!
From: Dave <update () dsrtech com>
Date: Thu, 04 Sep 2003 19:58:59 -0400
Jane, You enabled "ip accounting" on the router and are only seeing the NAT'd traffic? Try the commands "debug ip packet" and "debug ip nat" be sure you ACL the ip packet command as you can cause the router to reboot if it runs out of mem or proc. Example from Cisco's site. Router# debug ip packet IP: s=172.16.13.44 (Fddi0), d=10.125.254.1 (Serial2), g=172.16.16.2, forward IP: s=172.16.1.57 (Ethernet4), d=10.36.125.2 (Serial2), g=172.16.16.2, forward IP: s=172.16.1.6 (Ethernet4), d=255.255.255.255, rcvd 2 IP: s=172.16.1.55 (Ethernet4), d=172.16.2.42 (Fddi0), g=172.16.13.6, forward IP: s=172.16.89.33 (Ethernet2), d=10.130.2.156 (Serial2), g=172.16.16.2, forward IP: s=172.16.1.27 (Ethernet4), d=172.16.43.126 (Fddi1), g=172.16.23.5, forward IP: s=172.16.1.27 (Ethernet4), d=172.16.43.126 (Fddi0), g=172.16.13.6, forward IP: s=172.16.20.32 (Ethernet2), d=255.255.255.255, rcvd 2 IP: s=172.16.1.57 (Ethernet4), d=10.36.125.2 (Serial2), g=172.16.16.2, access denied Router# debug ip nat NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825] NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325] Table 64 describes the fields and messages. Table 64 Debug IP NAT Field Descriptions Field Description NAT: Indicates that the packet is being translated by the network address translation feature. An asterisk (*) indicates the translation is occurring in the fast path. The first packet in a conversation always goes through the slow path (that is, process-switched). The remaining packets go through the fast path if a cache entry exists. s=192.168.1.95->172.31.233.209 Source address of the packet and how it is being translated. d=172.31.2.132 Destination address of the packet. [6825] IP identification number of the packet. Might be useful in the debugging process to correlate with other packet traces from protocol analyzers. Good luck. On Thu, 2003-09-04 at 14:20, George Peek wrote:
Use Kiwi Syslog Deamon -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: Thursday, July 24, 2003 7:08 AM To: Ben Hicks; security-basics () securityfocus com; Gregory_DeGennaro () csaa com Cc: security-basics () securityfocus com Subject: RE: where should I start? help! Thanks for all help. If I want to find all traffic on the PIX internal interface, what should I do? using sniffer? How do I position the sniffer? How can I span port on the PIX or I have to do spanning on the switch? Any suggestions or help will be highly appreciated. switch ---PIX---external router The exernal router serial interface status as follows: Serial0/0 is up, line protocol is up Hardware is DSCC4 Serial Internet address is a.b.c.d/30 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 24/255, rxload 235/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:05, output 00:00:01, output hang never Last clearing of "show interface" counters 1d23h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/100 (size/max) 30 second input rate 1424000 bits/sec, 230 packets/sec 30 second output rate 147000 bits/sec, 161 packets/sec 16859032 packets input, 2850828712 bytes, 0 no buffer Received 17055 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 13720059 packets output, 3084799197 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Thanks in advance, Jane --- Ben Hicks <ben () sequenced net> wrote:Hmm, So the firewall is performing the nat then. Just out of interest, what is the firewall doing? does it have any access lists on it ? Thanks, Ben -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: 15 July 2003 16:20 To: Ben Hicks; security-basics () securityfocus com Subject: RE: where should I start? help! Ben, I appreciate your answer. I enabled the IP accounting and the IP accounting only shows the destination address as public address (NAT). Is there a way that I can trace this public IP address (NAT) to the internal private IP address? Thanks, Jane --- Ben Hicks <ben () sequenced net> wrote:The interface is very heavily utilised on the receiving of information - i.e persons downloading. Your interface (at the time of the snapshit) was very heavily utilised. 188/255 RX suggest that your link is about 75% utilised, which is very high. There are of course many other things that couldbeattirbuting to the problem, but I would start here. You could perhaps enable ip accounting to find out which IP addresses are accessing the most amount of information. HTH Ben. -----Original Message----- From: Jane Han [mailto:janehan22 () yahoo com] Sent: 08 July 2003 15:41 To: security-basics () securityfocus com Subject: where should I start? help! Hi, all I am relatively new to this field. We have fullT1but the internet speed is very slow. Sometimes it's even slower than dial-up speed when downloading files. E1 E0 E0 s0 Switch --- PIX ------Cisco 2600 Router------Internet (E1 and E0 are Ethernet Interface and S0 is serial interface) (please see the following status on s0) Serial0/0 is up, line protocol is up Hardware is QUICC Serial Internet address is X.X.X.X/30 MTU 1500 bytes, BW 2048 Kbit, DLY 20000 usec, reliability 255/255, txload 26/255, rxload 188/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input 00:00:02, output 00:00:00, outputhangnever Last clearing of "show interface" counters never Input queue: 0/75/9199/0(size/max/drops/flushes);Total output drops: 3307 Queueing strategy: weighted fair Output queue: 0/1000/64/3307 (size/max total/threshold/drops) Conversations 0/57/256 (active/maxactive/maxtotal) Reserved Conversations 0/0 (allocated/max allocated) 30 second input rate 1510000 bits/sec, 235 packets/sec 30 second output rate 214000 bits/sec, 173 packets/sec 76598509 packets input, 1523011153 bytes, 0nobuffer Received 104544 broadcasts, 0 runts, 0giants,0 throttles 1 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort 66685034 packets output, 4044743843 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up I checked the S0 interface status on the internet router. What info does the above indicate? What does input and output packets mean in case internal users download files from internet? I really do not know how to find out where all traffic are from? I bet there are lots of downloads from internet. Where should I start? BTW, we have one block class C public address.Butthe PIX only use 30 for NAT and one global pool address: global (outside) 1 x.x1.x2.201-x.x1.x2.230 global (outside) 1 x.x1.x2.200 Could this cause the slowness on internet speed also? Thanks in advance, Jane __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com---------------------------------------------------------------------------Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leaderinmarketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm----------------------------------------------------------------------------__________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com---------------------------------------------------------------------------Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm----------------------------------------------------------------------------__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- RE: where should I start? help! George Peek (Sep 04)
- RE: where should I start? help! Preston Newton (Sep 04)
- RE: where should I start? help! Dave (Sep 05)