|
A client of ours has two computers running some proprietary software connected over an IPSEC VPN using PIX 501s. He claims that every 15 minutes, if someone isn't doing something on the computer, the connection will drop. using a sh isakmp sa shows: Total : 1 Embryonic : 0 dst src state pending created xx.xxx.xxx.xxx yy.yyy.yyy.yyy QM_IDLE 0 1 which I believe show's that it's up and running. This is the configuration file, and while I think it looks like it shouldn't idle out for a day, I was wondering if there was anyone who could tell me what I may be doing wrong? I've had very little experience with these so any help at all would be greatly appreciated. I'm not totally convinced its the VPN that's disconnecting either. PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password notreal encrypted passwd notreal encrypted hostname thisisdifferent domain-name zzzz.zzz fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 access-list 50 permit tcp xx.xxx.xxx.x 255.255.255.128 any access-list 50 permit tcp host xx.xxx.xxx.xxx any access-list 50 permit tcp any any eq ssh access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list inmap permit tcp any host yy.yyy.yyy.yyy eq 5613 access-list inmap permit tcp any host yy.yyy.yyy.yyy eq telnet pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside yy.yyy.yyy.yyy 255.255.255.192 ip address inside 10.0.1.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 10.0.1.0 255.255.255.0 inside pdm location 192.168.1.0 255.255.255.0 inside pdm location 10.0.2.0 255.255.255.0 outside pdm location xx.xxx.xxx.xxx 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list no-nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface telnet 10.0.1.10 telnet netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5613 10.0.1.10 5613 netmask 255.255.255.255 0 0 access-group inmap in interface outside route outside 0.0.0.0 0.0.0.0 gg.ggg.ggg.ggg 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 10.0.1.0 255.255.255.0 inside snmp-server host outside zz.zzz.zzz.zz no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set idaville esp-des esp-md5-hmac crypto map otherplace 1 ipsec-isakmp crypto map otherplace 1 match address 90 crypto map otherplace 1 set peer xx.xxx.xxx.xxx crypto map otherplace 1 set transform-set idaville crypto map otherplace 1 set security-association lifetime seconds 86400 kilobytes 4608000 crypto map idaville interface outside isakmp enable outside isakmp key ******** address xx.xxx.xxx.xxx netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh zz.zz.zzz.z 255.255.255.255 outside ssh 10.0.1.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd auto_config outside username admin password VQLdnwypBeKc65uW encrypted privilege 15 terminal width 80 Cryptochecksum:cc6428afd782ea604c007237f38292f9 : end
|
#
¿
Jun 7, 2007 13:34
|
|
|
|
| # ¿ May 4, 2024 13:43 |
|
|
brent78 posted:Is it possible to rate limit traffic by IP on a Catalyst 3750? I too would be interested in this, or something similar. We currently are using two 7120s and were attacked 3 times in the past week with tens of thousands of UDP packets per second to our internal NAT server from three different probably spoofed IP addresses. We're looking for something that could hopefully limit the pps per IP address; or, if someone has any other ideas about preventing/stopping a DoS attack I'd really like to hear it.
|
|
#
¿
Jan 28, 2008 14:35
|
|
|
Girdle Wax posted:Preventing/Stopping a DoS attack on the customer side of a circuit is going to be difficult as chances are your pipe out to the world is the smallest link, so the attacker can just saturate that and it doesn't matter what kind of rate limiting or filtering you have on your side of the connection. The best solution to this (if you're talking BGP w/ your provider) is to use BGP remote triggered blackholing, where you can send a /32 prefix up to your provider over your BGP session with them, with a community tag that tells your provider to null route / blackhole the traffic before sending it to you. You can only do this for your own IPs though, so you lose whatever apps are running on the IP you blackhole, but it saves you the bandwidth to your provider so everything else keeps running. This is excellent and exactly what I'm looking for. Thank you!
|
|
#
¿
Jan 28, 2008 19:18
|
|
|
I have a stupid yet infuriating problem, the business that I'm at uses ftp for some scan program they have and way back in June apparantly it stopped working. Now they need to use it again. It uses passive ftp, connects and then only sends 4.140KB worth of data exactly before timing out. Active ftp works just fine. They have a Cisco PIX 506E and if I bypass it and plug directly into the modem passive ftp works just fine. I ran wireshark and found that it connects just fine, the client starts sending data to the server 1.380KB at a time. It sends 6 packets before it craps out, the first two packets have unique sequence numbers and the last 4 are the same. I'm assuming it's missing an ACK or something even though I'm getting other ACKs from the server and is trying to resend the data? Here is the conf file with the sensitive bits changed: PIX Version 6.1(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password hMDD1bC3TScc9BU. encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname stupidpix domain-name stupidpix.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list outin permit icmp any any pager lines 24 interface ethernet0 10full interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.1.2.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outin in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:f5721e9494b342883ab991d28db906da Anyone have any ideas what could be causing this? Any help at all would be greatly appreciated.
|
|
#
¿
Sep 17, 2008 18:39
|
|
|
routenull0 posted:We need to see the access-list portions. That's actually the complete sh conf, I thought there'd be more sensitive stuff in there but I ended up only changing the hostname. I apologize, I'm unfamiliar with PIX devices, is there another command I should use? Also, on further inspection it seems as though the server is sending acks after it gets the first two packets of data, but wireshark shows that there's a tcp checksum error. It actually shows this if I'm behind the Cisco or not. Is it possible the cisco is blocking it based on that? If so, I know this is a seperate problem that needs resolved but is it possible to let that stuff through for the time being? EDIT - Went on the server and disabled checksum offloading on the network card and the tcp checksum errors went away. Still same problems though. Recluse fucked around with this message at 19:17 on Sep 17, 2008 |
|
#
¿
Sep 17, 2008 19:08
|
|
|
routenull0 posted:You have other working services behind this firewall? I assume web surfing is working since you are posting? Any hosted devices like webservers etc? Yeah show access-list brought the same thing. Shouldn't passive work since the client initiates both connections? I tried permit tcp any any but that didn't work either.
|
|
#
¿
Sep 17, 2008 19:56
|
|
|
routenull0 posted:Yeah the config would allow it blindly. Do you seen in wireshark the PASV exchange to a higher dynamic port? Yeah, it started addressing it on n+2. Weirdly enough, messing around with it but not changing anything it actually went a little further and acked once for a total of 8 unique sequency # packets. I'm wondering if this isn't just a flaky pix?
|
|
#
¿
Sep 17, 2008 20:34
|
|
|
Ninja Rope posted:If you're sniffing from the box using checksum offloading, you'll always see this, since wireshark captures the data from inside the network stack but the checksum isn't calculated until the packet leaves the physical interface. Thank you for this, I had re-enabled it but I'm glad to know why it was doing that. Also, thank you for your help as well routenull0. I've got another pix same model I'll try copying the config to and seeing what happens. After that one fluke though, it always crapped out after the first 3 data packets. Weird stuff.
|
|
#
¿
Sep 18, 2008 02:20
|
|
|
Very stupid question regarding ACLs on an ASA5501 (I'm probably complicating this more than I need to be): I need to allow access for RDP and SMTP traffic to the terminal and mail servers respectively from a remote network over the VPN and from the outside and POP/IMAP just over the VPN. Say I've got the PAT translation setup to point port 25 to the internal mail server address, do I need to configure the ACL to allow traffic on port 25 sent to the public ip address sourced from anywhere and then create another ACL to allow all traffic sourced from the remote network to access the mail server on port 25 or can I just create a single ACL allowing traffic to the internal mail server address from anywhere and assign it to the outside interface out (which I'm assuming would mean the translation has already been done so it sees the destination even from outside traffic as being the internal mail server?) If I have to do the former, how would I go about creating an ACL for VPN traffic? I've tried to read around and found people indicating that you need to put in sysopt connection permit-ipsec and then referencing the 'interesting traffic' ACL as the on that would do the filtering but I'm not sure what that means. Hopefully this question even makes sense, or I'm more lost than I think I am.
|
|
#
¿
Aug 6, 2010 05:08
|
|
|
Recluse posted:Very stupid question regarding ACLs on an ASA5501 (I'm probably complicating this more than I need to be): I need to allow access for RDP and SMTP traffic to the terminal and mail servers respectively from a remote network over the VPN and from the outside and POP/IMAP just over the VPN. Say I've got the PAT translation setup to point port 25 to the internal mail server address, do I need to configure the ACL to allow traffic on port 25 sent to the public ip address sourced from anywhere and then create another ACL to allow all traffic sourced from the remote network to access the mail server on port 25 or can I just create a single ACL allowing traffic to the internal mail server address from anywhere and assign it to the outside interface out (which I'm assuming would mean the translation has already been done so it sees the destination even from outside traffic as being the internal mail server?) If I have to do the former, how would I go about creating an ACL for VPN traffic? I've tried to read around and found people indicating that you need to put in sysopt connection permit-ipsec and then referencing the 'interesting traffic' ACL as the on that would do the filtering but I'm not sure what that means. Hopefully this question even makes sense, or I'm more lost than I think I am. Here's what I came up with in regards to the quoted problem for an ASA5501, would anyone be willing to critique? access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 Rensselaer 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 Rensselaer 255.255.255.0 access-list outside_cryptomap_40 extended permit ip 192.168.1.0 255.255.255.0 Delphi 255.255.255.0 access-list outside_in_allow extended permit tcp any interface outside eq smtp access-list outside_in_allow extended permit tcp any interface outside eq 3389 access-list outside_in_allow extended permit tcp any interface outside eq https access-list outside_in_allow extended permit tcp any interface outside eq ftp access-list outside_in_allow extended permit tcp any interface outside eq ftp-data access-list vpn_allow extended permit tcp any 192.168.1.0 255.255.255.0 eq pop3 access-list vpn_allow extended permit tcp any any eq 995 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq www access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq https access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 8080 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq ftp access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 123 access-list outbound_allow extended permit tcp host 192.168.1.7 any eq smtp access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 1863 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 host 64.128.84.76 eq 8080 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 3389 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq 6689 access-list outbound_allow extended permit tcp 192.168.1.0 255.255.255.0 any eq pop3 access-list outbound_allow extended permit tcp host 192.168.1.2 any eq domain access-list outbound_allow extended permit tcp host 192.168.1.253 any eq domain access-list outbound_allow extended permit tcp host 192.168.1.5 any eq domain access-list outbound_allow extended permit tcp host 192.168.1.7 any eq domain nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 access-group outside_in_allow in interface outside access-group outbound_allow out interface inside I had someone try to put it in and they said incoming mail wasn't working, so I know something's not right but thought I'd ask to see if it was obvious to anyone.
|
|
#
¿
Aug 12, 2010 15:40
|
|
|
I'm currently having an issue setting up Dual Wan for a customer on an ISR 1941. Previously they had only one internet connection through Verizon, with 3 VPNs to remote branches. Initially when I added the default route for the secondary wan connection, I would immediately lose connectivity to the outside WAN interface. Added a metric of 10 to the default route for the secondary interface and then put in a route map to push everything coming in on the secondary interface back out the secondary interface and everything seemed to work peachy. Their secondary WAN connection however has much higher bandwidth, so I was hoping to move the VPN connections to that connection instead. I was able to successfully move them over, VPNs are connecting ok but found traffic is not flowing between the sites. Also found that if I remove the access list corresponding to the route map I had set up traffic starts flowing across the VPNs but then I lose connectivity to the router. I've called Cisco, spent a good long while just trying to get the technician to understand what was going on and kept getting bounced between the router and VPN technicians so I was hoping if anyone had some free time they might be able to take a look at my config and see what I might be doing wrong. http://home.singlecircuit.com/dualwan.txt Thanks in advance!
|
|
#
¿
Nov 18, 2010 14:52
|
|
|
|
| # ¿ May 4, 2024 13:43 |
|
|
Working with a company that has a UC520, just getting to their busy season where they're getting a lot of phone calls but having an issue in which half the time when the receptionist forwards a call and it ends up ringing to voicemail the call drops. Also, when some of the users try to access voicemail to listen to their messages they're getting a busy signal. Checked the debug logs and am getting a SIP 486 Busy Here message when the call is getting dropped. Called TAC, they indicated that the UC520 is only capable of 6 sessions to the CUE, although it was unclear if this was 6 sessions shared for voicemail, autoattendant and prompt management or if each application has 6 sessions available. He set up a test lab and verified that he was able to replicate exactly what we were seeing when he had 7 calls going to voicemail. The question I have is, the company is unwilling to accept this as the cause; they swear they've had no staff changes since last year and (of course) it worked fine then-is it possible to determine without a doubt if this is the cause? Is it possible to see how many sessions are currently being used and by who? The receptionist claims on her sidebar she only ever sees 3 or 4 lights active at a time, and I'm not familiar with those so I'm not sure what exactly that's showing-extensions that have picked up, outside lines, etc. Incoming is PRI, using SCCP for internal. Reloading the UC520 and resetting all the phones did not help.
|
|
#
¿
Apr 20, 2011 13:48
|
|