We have a PIX 515E running ver 6.3 and we want to implemente some sort of logging to keep track of who/when logs in to the PIX and if they make any config changes or to the file system. All of this is for forensic purposes in the future. I have already looked at some PIX docs but I don´t seem to find what I am lokking for.
I have a tunnel between a PIX 515E version 7.2(2)and a Cisco 3800 version 12.3(11r). There is a mismatch somewere in the configs but I cannot find it. I have included the configs and the syslog errors.
I have recently purchases a Cisco srp547w for my organisation. It is working fine with one SSID enabled. I have configured everything with no problems using the Web interface. However, whenever I click the Edit button, in the Security column, in the Wireless Table under Basic Wireless Settings I get a pop up message which says :"Some values have been changed. The router must restart the wireless module to take effect.Please wait several seconds" I have tried this using 3 different browsers and get the same behaviour in each browser.
I have enabled DHCP but want to set static table IP's for my security camera DVR and one computer, the others can remain dynamic. I know in other routers I can attach a LAN IP to a mac address to keep it static but I can't see where I can do that with this router.
how to read some of these log entries I see on the IOS 15.2 router I'm working with. I'm fairly new to this stuff. My understanding is that the first socket (188.8.131.52:port#) is the originating one, and the 2nd socket is the receiving or destination. This makes sense when I see an entry like:
01043: *Nov 21 2012 10:28:34.323 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.241.163:39557 192.168.xx.xx:80 due to RST inside current window with ip ident 0
The internal IP is our email server inside the LAN, the first IP is some IP in a foreign country, so someobody visited our web interface for the email server, obviously trying to breach or recon the interface but whatever. Then I see an (unrelated) entry like this elsewhere in the logs:
001095: *Nov 21 2012 25:56:03.531 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.178.210:25 192.168.xx.xx:47343 on zone-pair inside-outside class INSIDE-OUTSIDE due to Stray Segment with ip ident 0
What this latter entry tells me is that the Internet host sent data FROM port 25 to what I am guessing is the open port our internal email server must have originated some other communication from. However we do not accept incoming port 25 mail from anywhere but a designated IP so this "send" is not supposed ot occur. So first off, am I reading that correctly? Is the first IP the sending system, and the second IP the receiver? there are no other entries in the logs between these two hosts, so either the logs have truncated with oldest entries removed (log buffer is set to 51200), or that outside host is sending, hoping to get our mail server to respond? BTW, the outside host WHOIS's to Microsoft's IP range, Block 1.
we are using an ASR 1002 for dynamic NAT (with route maps). I do have a Problem with the usage of the NAT pool it self.The total NAT Translations for the pool are:
#sh ip nat stat [Id: 1] route-map natted-host-01 pool nat-pool-01 refcount 136 pool nat-pool-01: netmask 255.255.254.0 start XX.XX.202.0 end XX.XX.203.255 type generic, total addresses 512, allocated 88 (17%), missee 0
If i now look into the NAT translation Table i do get less entries:
#sh ip nat translations filter map-id dynamic 1 total Total number of translations: 43
Only a deeper look into the QFP gives here the right values:
# sh platform hardware qfp active feature nat data The ouput count matches the values I get if i isue a sh ip nat stat
My question is how is it handled internally.
We do have a problem too, with raising usage of the pool over the time.Once allocated Pool entries are not released after a period of time. And no NAT translation occur for that used IP NAT pool Addresses.
The timer on the device are set: ip nat translation timeout 300 ip nat translation tcp-timeout 900 ip nat translation pptp-timeout 900 ip nat translation udp-timeout 120 ip nat translation routemap-entry-timeout 900 ip nat translation max-entries 750000
I work in a service desk in +100 company and lately i got a task to gather all the host file entries that are on our network's PC's.We operate on windows XP 32&64bit, W7 64bit. Is there any tool that i could use to scan all host files within our network. I tried google of course but maybe i type my search phrases in a bad way to find something useful to my needs.
I have the ME3400 deployed in an the following design. 8 100Meg ports connects to Cisco 2955s, and the 1Gig port uplinks to a Cisco 3560. My CDP neighbour table only shows an entries for the uplink Gig port. If I look at the CDP stats in the show cdp Interfaces Fastethernet 0/1,, I see CDP packets being sent every 60, but nothing returning.
I have enabled Network filtering on MAC address on my D-Link 628 router.
I've noticed entries in the log file - "Access Denied to LAN System with MAC address ______________" for 2 different MAC addresses. I do not recognize these MAC addresses. The entry that immediately follows these messages - "Above message repeated 466 times and 124 times. The entries for these 2 MAC addresses has been occurring multiple times with different repeat numbers over the past few days.
Is this an indication that someone nearby my router is attempting to hack into my wireless router or do I have a configuration issue?
For our children, we use the parental control feature of the DIR-615 (RevD, FW4.11b15), which works excellently. I use the whitelist feature, so only trusted web sites can be accessed. Unfortunately the DIR-615 only has 10 entries in that list and I will soon need more. So I wonder if there is another D-Link router that offers a bigger list with maybe 50 or even 100 entries?
I have a DIR-655 rev A4 with firmware 1.35NA.I read [URL] 5 which stated that the SECURESPOT feature was removed as of firmware 1.35NA but since upgrading the router to 1.35NA I find the following two log entries mentioning securespot being initiated:
[INFO] Sat Jan 22 21:01:21 2011 Initiating securespot services. [INFO] Sat Jan 22 21:01:21 2011 Allocating securespot services.
I will mention, before upgrading to 1.35NA I was running the stock 1.21 firmware that shipped with this router. Prior to updating to 1.35NA I had taken a backup of the router settings and after the firmware update was applied I restored this settings backup. Could that be the reason this log entry is showing up? It makes me think securespot is not really removed as is claimed in the release notes for this firmware.Can anyone else with a DIR-655 A4 w/firmware 1.35NA confirm the above two log entries mentioning securespot appear in the log (assuming ALL log settings are turned on) when your router is rebooted?
On occasion I will have to clear the ARP cache on a 6500 when a customer swapeeds out a firewall or firewall NIC. The ARP cache will show the MAC of the previous device and will not update until either the ARP table refreshes dynamically (currenty at default time) or it is cleared manually.
Sometimes I need to clear it manually and sometimes is is refreshed dynamically when the new device comes up. Inconsistant issue....
Under what circimstances will an ARP entry NOT be refreshed when a firewall or firewall NIC is swapped out.
I've been using my pair of ACE-4710s for quite some time and have usually stuck to the Class C Subnet sticky settings, as that's what we migrated from in Windows NLB. In one instance of load balancing I'm trying to create an L4 inspection policy that looks for a certain payload (much like a http header) and would like to persist on this. The problem is that the client portion of the conversation starts with a 'SessionID' of 0, and the server responds with a unique 'SessionID'. If I setup the sticky policy with 'Enable Sticky For Response', I get entries populated in the sticky database, but they all go to the same server as there is a sticky session setup for the SessionID = 0. Is there a way to setup sticky entries on server response only? Currently using ACE DM v4(1.0).
Our proxy/anti-smap/IPS box called PROXY is behind our Cisco ASA firewall. The PROXY is set in transparent mode.The PROXY internal ip is 184.108.40.206 (internal ip)We have the MX record for mail.domain.com with public ip 220.127.116.11 (public ip as we entered with ISP public DNS)What happens now is that the emails that come through get "caught" by the PROXY and then we setup a thing whereby the emails are then forwarded from PROXY to our mail.domain.com server. Also, we made a static entry in PROXY whereby we can https to our email server for the outlook web access from outside of work therefore allowing for users to see the outlook web access web page.On the Cisco firewall, we put the static entry that 18.104.22.168 is mapped to 22.214.171.124 thus the mail server public ip is mapped to the PROXY.
Now, the box has this thing whereby it sends an email to all staff once a day telling them how many mails are legit, how many rejected and how many are spam - the spam emails are listed within the email and staff can at a click of a release button next to each spam email release a particular email from the PROXY box and make it to into their inbox. This works fine from the inside network, but I have issues from the outside due to the DNS and other things.I also put in the PROXY that any network can release spam and that our staff vlan can release emails. Also, on the inside of the firewall we did an access list that computers from staff vlan can access 126.96.36.199 on port 6552 (Which is the release spam port).Hence, we can release emails from internal network through the Microsoft Outlook.
On the outside network, we cannot release emails when using outlook web access.The host name for the PROXY release spam is proxy.domain.com so what we did also today is ask "ISP" to make an A record entry for another public ip which is 188.8.131.52 for proxy.domain.com.We meanwhile made an entry on the access list that comptuers from outside can access 184.108.40.206 on port 6552 (which is the release port).Now the only question is in regards to the static entries:
1. do we (and can we?) static map 220.127.116.11 to 18.104.22.168 through a port 3840 on the Cisco ASA (although we have already mapped 22.214.171.124 to 126.96.36.199 - I have a doubt here as this might mean we might not get emails? Or would we have to do the static again for this one specifcying the 188.8.131.52 as an smtp entry and the 184.108.40.206 as a release button?
2. have I made a mistake in general and should I have just told the ISP to make a CNAME entry for proxy.domain.com with the public ip 220.127.116.11 (which is the public ip for MX record?)?
we use RV082 as main gateway and need to open/forward around 50 ports to inside. But during setting of the rules I got an error message "The max of Port Range Forwarding is 30 entries. You can't add any more.".
In the online help is explicitely said "4. Click the Add to List button, and configure as many entries as you would like."
How can we setup more than 30 port forwarding rules ?
We have 2 Hubs (Cisco 7200 - 2 for redudancy). Every customer have a Spoke (Cisco 881). The Spokes are 24/24 connected to the 2 hubs (2 dmvpn tunnels) to give us the access to our equipments of monitoring and for support. Every Spoke have a NAT table with a specific NAT range for every Spoke. Like this we can reach every devices with a unique IP inside the VPN.For example:
- Spoke_001 have a NAT IP range of 10.80.0.0 255.255.254.0 - Spoke_002 have a NAT IP range of 10.80.2.0 255.255.254.0 ...
To connect to the hubs with our laptops, we are using the Cisco VPN client. We have different profiles created in the hubs:
- Admin profile with an ACL that allow the connectivity to every Spoke - Integrator profiles: that allow the connectivity of one integrator to some defined Spokes.
So the integrator profile looks like this in the hub
crypto isakmp client configuration group [NAME] key [PASSWORD] domain [DOMAIN] pool [NAME] acl [NAME_VPN_Split]
The problem is that if we can't summarize an ACL in less than 50 lines, we will have to create a second profile and to know wich one to use for wich network...
ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1) BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(15), RELEASE SOFTWARE (fc3) System image file is "disk2:c7200-advsecurityk9-mz.151-4.M2.bin"
I just replaced my older D-Link with a DIR-601. I decided to try the email feature, so I set the option to "On Log Full". Within an hour I had 5 emails. I noticed that they were mostly entries reading "DIR-601 local0.debug udhcpd: UDHCPD Received a SIGUSR1". The "Debug Information" option isn't checked.