Cisco Firewall :: 15.2 / How To Interpret IOS Log Entries
Oct 12, 2011
how to read some of these log entries I see on the IOS 15.2 router I'm working with. I'm fairly new to this stuff. My understanding is that the first socket (123.123.123.123:port#) is the originating one, and the 2nd socket is the receiving or destination. This makes sense when I see an entry like:
01043: *Nov 21 2012 10:28:34.323 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.241.163:39557 192.168.xx.xx:80 due to RST inside current window with ip ident 0
The internal IP is our email server inside the LAN, the first IP is some IP in a foreign country, so someobody visited our web interface for the email server, obviously trying to breach or recon the interface but whatever. Then I see an (unrelated) entry like this elsewhere in the logs:
001095: *Nov 21 2012 25:56:03.531 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.178.210:25 192.168.xx.xx:47343 on zone-pair inside-outside class INSIDE-OUTSIDE due to Stray Segment with ip ident 0
What this latter entry tells me is that the Internet host sent data FROM port 25 to what I am guessing is the open port our internal email server must have originated some other communication from. However we do not accept incoming port 25 mail from anywhere but a designated IP so this "send" is not supposed ot occur. So first off, am I reading that correctly? Is the first IP the sending system, and the second IP the receiver? there are no other entries in the logs between these two hosts, so either the logs have truncated with oldest entries removed (log buffer is set to 51200), or that outside host is sending, hoping to get our mail server to respond? BTW, the outside host WHOIS's to Microsoft's IP range, Block 1.
View 8 Replies
ADVERTISEMENT
Aug 9, 2010
Is there a good reference in how to interpret the "show AP stats" command?
I have a new (online for 15 days) 1142 listed below. It is the first 802.11n AP I've deployed. The stat counters look bad [code] But I don't know how to put it all together to say "here are the stats, this is the problem". I see TxFrameCount, but no corresponding RxFrameCount, so it is hard to calibrate some of the errors. [code]
View 4 Replies
View Related
Apr 6, 2011
I can not seem to view my "permit" entries in the log on my ASA 5520. I set up logging-lists, changed the level to 3 on the logging statement, and simply can't find it anywhere.
Partial config:
logging enabled
logging timestamp
logging JC-L3 level errors
logging monitor JC-L3
logging buffered JC-L3
logging trap notifications
[code]....
View 6 Replies
View Related
Sep 24, 2011
how many route entries can ASA5520 (8.2.1-k8) support?
View 2 Replies
View Related
Sep 15, 2011
Our proxy/anti-smap/IPS box called PROXY is behind our Cisco ASA firewall. The PROXY is set in transparent mode.The PROXY internal ip is 1.1.1.1 (internal ip)We have the MX record for mail.domain.com with public ip 9.2.7.5 (public ip as we entered with ISP public DNS)What happens now is that the emails that come through get "caught" by the PROXY and then we setup a thing whereby the emails are then forwarded from PROXY to our mail.domain.com server. Also, we made a static entry in PROXY whereby we can https to our email server for the outlook web access from outside of work therefore allowing for users to see the outlook web access web page.On the Cisco firewall, we put the static entry that 9.2.7.5 is mapped to 1.1.1.1 thus the mail server public ip is mapped to the PROXY.
Now, the box has this thing whereby it sends an email to all staff once a day telling them how many mails are legit, how many rejected and how many are spam - the spam emails are listed within the email and staff can at a click of a release button next to each spam email release a particular email from the PROXY box and make it to into their inbox. This works fine from the inside network, but I have issues from the outside due to the DNS and other things.I also put in the PROXY that any network can release spam and that our staff vlan can release emails. Also, on the inside of the firewall we did an access list that computers from staff vlan can access 1.1.1.1 on port 6552 (Which is the release spam port).Hence, we can release emails from internal network through the Microsoft Outlook.
On the outside network, we cannot release emails when using outlook web access.The host name for the PROXY release spam is proxy.domain.com so what we did also today is ask "ISP" to make an A record entry for another public ip which is 9.2.7.6 for proxy.domain.com.We meanwhile made an entry on the access list that comptuers from outside can access 9.2.7.6 on port 6552 (which is the release port).Now the only question is in regards to the static entries:
1. do we (and can we?) static map 9.2.7.6 to 1.1.1.1 through a port 3840 on the Cisco ASA (although we have already mapped 1.1.1.1 to 9.2.7.5 - I have a doubt here as this might mean we might not get emails? Or would we have to do the static again for this one specifcying the 9.2.7.5 as an smtp entry and the 9.2.7.6 as a release button?
2. have I made a mistake in general and should I have just told the ISP to make a CNAME entry for proxy.domain.com with the public ip 9.2.7.5 (which is the public ip for MX record?)?
View 9 Replies
View Related
Mar 13, 2011
Is it possible for a Cisco ASA 5580 to create Syslog entries when someone connects via HTTPS or SSH to it. I need to obtain information from Syslog when someone does this.
View 5 Replies
View Related
Dec 4, 2011
I have a capture set up of type "asp-drop all", and I am capturing certain packets with no indicated ASP drop reason. See output below (ASA 5510 with 8.0(5)23 code):asa5510-8.0# show capture, capture ASP type asp-drop all buffer 15000 circular-buffer [Capturing - 14912 bytes]
View 2 Replies
View Related
Aug 7, 2012
I have a FWSM cluster that I exceeded the maximum number of static nat entries on. i migrated the connectivity off to a pair of PIX 535's that seem to be handling the adderess translation needs. however the number of NAT entries being required is increasing and being the PIX series wal EOL'd several years back..I need to replace them.. The static 1-1 nat entries cannot be summarized into network as the hosts that are being nat'd are scattered all over various micro subnets in the all 3 rfc1918 ipv4 address ranges and they are being manged directly by snmp and SNMP-trap and other services that prohibit the use of many-to-one nat. Is there a mknown maximum number of static 1-1 nat entries that can be defined on the ASA 5515-x, 5525=x and higher ASA firewalls? Say I wanted to be able to grow to 2500 or more static 1-1 nat entries. I am currently running 2010 1-1 static host nats currently.
View 1 Replies
View Related
Dec 29, 2012
We have a 5585X running in multi context mode, and we are getting log entries for scanning threat detection, such as:
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3116
Threat detection is not supported in multi context mode so I cannot tune the thresholds, is there any way that I can get rid of this outside of messing about with logging levels/message IDs?
View 2 Replies
View Related
May 31, 2012
we are using an ASR 1002 for dynamic NAT (with route maps). I do have a Problem with the usage of the NAT pool it self.The total NAT Translations for the pool are:
#sh ip nat stat
[Id: 1] route-map natted-host-01 pool nat-pool-01 refcount 136
pool nat-pool-01: netmask 255.255.254.0
start XX.XX.202.0 end XX.XX.203.255
type generic, total addresses 512, allocated 88 (17%), missee 0
If i now look into the NAT translation Table i do get less entries:
#sh ip nat translations filter map-id dynamic 1 total Total number of translations: 43
Only a deeper look into the QFP gives here the right values:
# sh platform hardware qfp active feature nat data The ouput count matches the values I get if i isue a sh ip nat stat
My question is how is it handled internally.
We do have a problem too, with raising usage of the pool over the time.Once allocated Pool entries are not released after a period of time. And no NAT translation occur for that used IP NAT pool Addresses.
The timer on the device are set:
ip nat translation timeout 300
ip nat translation tcp-timeout 900
ip nat translation pptp-timeout 900
ip nat translation udp-timeout 120
ip nat translation routemap-entry-timeout 900
ip nat translation max-entries 750000
View 1 Replies
View Related
Oct 29, 2012
how big the NAT tabel for a PIX515E is? how many entries can it have?
View 10 Replies
View Related
Sep 9, 2012
I work in a service desk in +100 company and lately i got a task to gather all the host file entries that are on our network's PC's.We operate on windows XP 32&64bit, W7 64bit. Is there any tool that i could use to scan all host files within our network. I tried google of course but maybe i type my search phrases in a bad way to find something useful to my needs.
View 4 Replies
View Related
Apr 4, 2013
I have the ME3400 deployed in an the following design. 8 100Meg ports connects to Cisco 2955s, and the 1Gig port uplinks to a Cisco 3560. My CDP neighbour table only shows an entries for the uplink Gig port. If I look at the CDP stats in the show cdp Interfaces Fastethernet 0/1,, I see CDP packets being sent every 60, but nothing returning.
View 4 Replies
View Related
Jul 15, 2012
How many VMs can a pair of 5548s support? Remember, for each VM, I will have an ARP entry in the 5500 ARP Table (assume 5500 is the L3 default gateway).
View 3 Replies
View Related
Nov 27, 2012
Is there a Table which the list the route table entries on Cisco ISR Router especially ISR 1921 Router.
View 3 Replies
View Related
Aug 9, 2011
I have enabled Network filtering on MAC address on my D-Link 628 router.
I've noticed entries in the log file - "Access Denied to LAN System with MAC address ______________" for 2 different MAC addresses. I do not recognize these MAC addresses. The entry that immediately follows these messages - "Above message repeated 466 times and 124 times. The entries for these 2 MAC addresses has been occurring multiple times with different repeat numbers over the past few days.
Is this an indication that someone nearby my router is attempting to hack into my wireless router or do I have a configuration issue?
View 2 Replies
View Related
Mar 14, 2011
The version of my DIR-655 is 1.32NA. Entries in the column of Time for LOG DETAILS are incorrect. How can I correct them?
View 3 Replies
View Related
Mar 4, 2011
For our children, we use the parental control feature of the DIR-615 (RevD, FW4.11b15), which works excellently. I use the whitelist feature, so only trusted web sites can be accessed. Unfortunately the DIR-615 only has 10 entries in that list and I will soon need more. So I wonder if there is another D-Link router that offers a bigger list with maybe 50 or even 100 entries?
View 4 Replies
View Related
Jan 22, 2011
I have a DIR-655 rev A4 with firmware 1.35NA.I read [URL] 5 which stated that the SECURESPOT feature was removed as of firmware 1.35NA but since upgrading the router to 1.35NA I find the following two log entries mentioning securespot being initiated:
[INFO] Sat Jan 22 21:01:21 2011 Initiating securespot services.
[INFO] Sat Jan 22 21:01:21 2011 Allocating securespot services.
I will mention, before upgrading to 1.35NA I was running the stock 1.21 firmware that shipped with this router. Prior to updating to 1.35NA I had taken a backup of the router settings and after the firmware update was applied I restored this settings backup. Could that be the reason this log entry is showing up? It makes me think securespot is not really removed as is claimed in the release notes for this firmware.Can anyone else with a DIR-655 A4 w/firmware 1.35NA confirm the above two log entries mentioning securespot appear in the log (assuming ALL log settings are turned on) when your router is rebooted?
View 2 Replies
View Related
Oct 21, 2012
Belkin F7D4302 will not connect to ISP if I try to manually set DNS entry. Once I attempt this I have to reset the router back to factory defaults before the router will connect with ISP
View 4 Replies
View Related
May 2, 2012
Can you configure multiple next-hop entries and have it perform load balancing?
Example
route-map test
match ip address test
set ip next-hop 1.1.1.1
set ip next-hop 2.2.2.2
View 1 Replies
View Related
Sep 11, 2007
On occasion I will have to clear the ARP cache on a 6500 when a customer swapeeds out a firewall or firewall NIC. The ARP cache will show the MAC of the previous device and will not update until either the ARP table refreshes dynamically (currenty at default time) or it is cleared manually.
Sometimes I need to clear it manually and sometimes is is refreshed dynamically when the new device comes up. Inconsistant issue....
Under what circimstances will an ARP entry NOT be refreshed when a firewall or firewall NIC is swapped out.
View 2 Replies
View Related
Aug 22, 2012
I've been using my pair of ACE-4710s for quite some time and have usually stuck to the Class C Subnet sticky settings, as that's what we migrated from in Windows NLB. In one instance of load balancing I'm trying to create an L4 inspection policy that looks for a certain payload (much like a http header) and would like to persist on this. The problem is that the client portion of the conversation starts with a 'SessionID' of 0, and the server responds with a unique 'SessionID'. If I setup the sticky policy with 'Enable Sticky For Response', I get entries populated in the sticky database, but they all go to the same server as there is a sticky session setup for the SessionID = 0. Is there a way to setup sticky entries on server response only? Currently using ACE DM v4(1.0).
View 10 Replies
View Related
Jan 13, 2008
Just a very quick one. Is there any physical limitation to how many ARP entries a 6509 and sup720 can have?
View 4 Replies
View Related
Nov 15, 2012
we use RV082 as main gateway and need to open/forward around 50 ports to inside. But during setting of the rules I got an error message "The max of Port Range Forwarding is 30 entries. You can't add any more.".
In the online help is explicitely said "4. Click the Add to List button, and configure as many entries as you would like."
How can we setup more than 30 port forwarding rules ?
View 4 Replies
View Related
Apr 10, 2012
Any info regarding the number of MAC Entries of Catalyst 3560X/3750X Platform? I can find that number in 3560, 3750 ds but not in 3560x ds.
View 2 Replies
View Related
Sep 10, 2012
We've got ACE30s (active/standby) running A5(1.2), and a context that's front-ending one of our major applications, doing SSL termination on the client side and SSL initiation on the back side:
parameter-map type ssl FrontEndSSL-Param
rehandshake enabled
parameter-map type ssl BackendSSL-param
authentication-failure ignore
[Code]...
View 4 Replies
View Related
Feb 4, 2013
We have 2 Hubs (Cisco 7200 - 2 for redudancy). Every customer have a Spoke (Cisco 881). The Spokes are 24/24 connected to the 2 hubs (2 dmvpn tunnels) to give us the access to our equipments of monitoring and for support. Every Spoke have a NAT table with a specific NAT range for every Spoke. Like this we can reach every devices with a unique IP inside the VPN.For example:
- Spoke_001 have a NAT IP range of 10.80.0.0 255.255.254.0
- Spoke_002 have a NAT IP range of 10.80.2.0 255.255.254.0
...
To connect to the hubs with our laptops, we are using the Cisco VPN client. We have different profiles created in the hubs:
- Admin profile with an ACL that allow the connectivity to every Spoke
- Integrator profiles: that allow the connectivity of one integrator to some defined Spokes.
So the integrator profile looks like this in the hub
crypto isakmp client configuration group [NAME]
key [PASSWORD]
domain [DOMAIN]
pool [NAME]
acl [NAME_VPN_Split]
[code]....
The problem is that if we can't summarize an ACL in less than 50 lines, we will have to create a second profile and to know wich one to use for wich network...
Version:
ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1)
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(15), RELEASE SOFTWARE (fc3)
System image file is "disk2:c7200-advsecurityk9-mz.151-4.M2.bin"
View 3 Replies
View Related
Sep 19, 2012
I have got two L3 switches, Cat3550 and Cat3560X. Cat3550 is present at head office and Cat3560X at the branch office. Both connected by 10MB LES link and have VLAN74.
[code]...
View 2 Replies
View Related
Apr 15, 2013
As a matter of fact i am new to this field .I have cisco 1700 series router which has ea0 and FE 0 port
E0 connected to LAN and FA0 for ISP ,both are configured wit publisc ip.and ststic route to ISP. (E0 connected to switch and fa0 connected to ISP MUX)
When i issued sho arp command i have received more than 30 entries of MAC and IP address . I am wondering how i received this much mac in arp table.
View 5 Replies
View Related
Nov 30, 2011
I just replaced my older D-Link with a DIR-601. I decided to try the email feature, so I set the option to "On Log Full". Within an hour I had 5 emails. I noticed that they were mostly entries reading "DIR-601 local0.debug udhcpd[18594]: UDHCPD Received a SIGUSR1". The "Debug Information" option isn't checked.
View 1 Replies
View Related
Feb 17, 2011
I am trying to configure a BEFSX41 router which sits behind a Motorola SB 5120 cable modem. Somehow it now shows DNS entries on the basic setup page. Comcast advises me to zero out all those entries. When I make the attempt a message pops up saying the entry is invalid, and when I close the warning the entry reverts. The router is set to get its IP address automatically from the SB 5120.
View 3 Replies
View Related
Dec 1, 2008
Having trouble with resolving DNS entries with their WRT160Nv2? By resolving I mean, every once in a while, it browsers will just hang and say "Looking up..." When using nslookup, it says DNS timeout. DNS request timed out timeout was x seconds. Can't find server name for address xxx.xxx.xxx.xxx: Timed out Default servers are not available Default Server: UnKnown Address: xxx.xxx.xxx.xxx
I have the firmware 2.0.02_11 installed. Hooking directly up to the modem, I can resolve entries consistently. When I plug in the router, it works for a little, but becomes very unstable after some time. I spoke with support about this and they suggested changing the IP of the router, as well as lowering the MTU to 1400. Both did not improve stability.
View 9 Replies
View Related
