1. Home
  2. Cisco Systems
  3. PIX - loss of connection to it - and stopping peer to peer

PIX - loss of connection to it - and stopping peer to peer

A new PIX Version 6.3(5) I get random loss of connectivity to it ; ping and telnet refused, (from a PC directly into one if it's ports ) ; during this time console is fine and syslog shows other users working; and of course I cant get on the web - these other users will later report the same issues. 8 PC's on the LAN. I clear xlate and the arp table all to no avail.

Is this due to connection limits on the PIX ? I read in Richard Deals book that the 501 limits use based on the number of PC's it sees; I assume this translates to ARP tables ?

Practically it seems, so far, that the number of connections as reported in "sh conn count" is the relevant issue( I cant get on when this number gets high) ; but, oddly , I see reports of well over 40 , with many more idle; so what is the limiting factor, devices on the lan pointing to the PIX's inside or the connections in use ? And would this even be the cause of telnets being refused ?

The larger issue here is this is the same general symptom experienced with a D-Link 604 which the PIX replaced. We were getting hit by lots of peer-to-peer looking connections (using the Limewire port) which I blocked with the D-link's "firewall" feature. Most users could never get to the web when the Dlink's log showed large numbers of denials with this port.

I've attempted to stop these processes with a series of access-lists , which brings me to my other question ; how best to use the PIX to stop peer to peer ? I tired this:

access-list bs deny tcp any any eq 3646

which seems to work as I see in the logs - also ; I don't understand that when I add a similar command to an inside access-group I seem to stop more communication than I'd like ...

------------------

pixfirewall# sh conn count

32 in use, 138 most used

pixfirewall# sh conn count

36 in use, 138 most used

pixfirewall# sh conn count

-----------------------------------

Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixfirewall up 2 hours 18 mins

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz Flash E28F640J3 @ 0x3000000, 8MB BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0016.9dda.e63e, irq 9 1: ethernet1: address is 0016.9dda.e63f, irq 10 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 10 Throughput: Unlimited IKE peers: 10

This PIX has a Restricted (R) license.

Serial Number: 810193105 (0x304a90d1) Running Activation Key: 0x49f008db 0xd09fdf38 0x9b9c0e6e 0x2ac6f9fc Configuration last modified by enable_15 at 09:59:02.990 UTC Sun Oct 22 2006

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password RKu3p1CF3TrlG1v9 encrypted passwd FRou7zzj.tp5/Po3 encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 access-list bs deny tcp any any eq 3646 access-list bs deny tcp any any eq 3260 access-list bs deny tcp any any eq 3266 access-list bs deny tcp any any eq 34927 access-list bs deny tcp any any eq 65420 access-list bs deny tcp any any eq 8820 access-list bs deny tcp any any eq 6346 access-list bs deny tcp any any eq 26768 access-list bs deny tcp any any eq 1035 access-list bs deny tcp any any eq 1129 access-list bs deny tcp any any eq 1038 access-list bs deny tcp any any eq 1170 access-list bs deny tcp any any eq 3486 pager lines 24 logging on logging trap debugging logging host inside 192.168.0.3 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.0.1 255.255.255.0 ip audit name checkit info action alarm ip audit interface outside checkit ip audit attack action reset pdm location 192.168.0.118 255.255.255.255 inside pdm location 192.168.1.2 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group bs in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.0.118 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.0.100-192.168.0.131 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:35ec9e8be0c77b2a48588b5dea71f0bf : end
Reply to
barret bonden
Loading thread data ...

Do you get "license limit of 10 exceeded" in your syslog ? If so, that is your answer.

HTH Martin

Reply to
Martin Bilgrav

Also:

pix501# sho local Interface inside: 3 active, 9 maximum active, 0 denied

Will tell you if you have exceeded your limit. (the denied will inrease in count)

Reply to
Martin Bilgrav

No, it isn't ARP tables.

formatting link

Reply to
Walter Roberson

Read your post in google groups, Walter; got it - and thank you.

One the subject of stopping peer to peer processes; how might one do that with a PIX ? is my experiment with an access list on track ?

As in

access-list bs deny tcp any any eq 6346

access-group bs in interface outside

formatting link

Reply to
barret bonden

Upgrade to PIX 7 or a Cisco ASA and use the more advanced inspection capabilities, or switch to a Cisco IOS router with NBAR.

Yes, no, sort of. The P2P software that uses fixed port numbers can often be blocked by blocking the master IP addresses instead (thus not allowing people to access the coordinating nodes.) But any modern P2P software uses varying port numbers and uses named hosts internally and alters the DNS addresses. Some of it will literally port-scan hosts, knocking on every port in hopes of finding a node living there. Some of it uses zombie PCs -- residential PCs that have been taken over without the owner's knowledge (possibly via a virus.)

To control P2P, you should permit connections *only* to those hosts and ports that you *really* need (e.g., your business partners, your mail servers, your Usenet server), and block *everything* else until it can be proven innocent. But that can be a lot of work if your users have a lot of valid places to visit, so at that point you need to start using something between which inspects the traffic and ensures that it matches the official protocols for the ports permitted through. But -anything- can be tunneled over http...

Reply to
Walter Roberson

Walter:

The connection problems (dropped telnets, a LAN with less than 10 machines but people unable to get on until I cleared xlates and arp tables or just pulled plugs) was diagnosed today by TAC as a hardware issue; I got an RMA and a quote from TAC that said in essence "the license is for 10 computers" and "you're right sir ; it's the number of machines in the ARP table that defines the limit; having nothing to do with connections. A 10 user license allows 10 computers to communicate through the pix in anyway" - or so I understood.

TAC also went on to say that he's seen this a number of time prior....

? Thought you'd find it interesting .... just more of a puzzle ....

formatting link

Reply to
barret bonden

Yah, that can happen, especially if the power supply connector is loose.

I'm -sure- the license limit isn't based upon the ARP tables: it is based upon the number of host containers, and host containers are a function of xlates. If a host pings the pix or connects to to it for management purposes, then no host container is built. I've traced through quite enough log entries to be have seen the triggers.

If the TAC employee said it was based upon the ARP entries, then the TAC employee was wrong.

(If the implication of that is that I believe I know the PIX better than that TAC does... well, that wouldn't be inconsistant with my experiences with the first-level of TAC.)

Reply to
Walter Roberson

Thought so. Many thanks.

Reply to
barret bonden

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.