Hello, I have my pix doing tunnels and vpn, I would like to block some ports and maybe enable some kind of attack log. Any ideas on what commands to use? maybe block DOD if that is how it is call. I have a cisco engineer coming on sunday and I would like to have some ideas on what to do. thanks
In article , wrote: :Hello, I have my pix doing tunnels and vpn, I would like to block some :ports and maybe enable some kind of attack log. Any ideas on what :commands to use? maybe block DOD if that is how it is call.
If you want to be more selective about what is allowed between sites that there is a tunnel between, then the first thing you have to do is turn off sysopt connection permit-ipsec Once that is turned off, then no packet is considered for transmitting over the VPN unless it passes the access conditions placed on the interface the packet arrives at, and when a tunneled packed is received over the link then after decapsulation it must pass the access conditions of the interface it arrived at before being permitted to go onwards.
For example,
::: Node A :::
name 192.168.47.131 NodeB_DNS_server name 192.168.81.0 NodeA_Net
: outward towards NodeB access-list NodeA_In2Out permit udp NodeA_Net 255.255.255.0 host NodeB_DNS_server eq domain
: inward from NodeB access-list NodeA_Out2In permit udp host NodeB_DNS_server eq domain NodeA_Net
255.255.255.0access-group NodeA_In2Out in interface inside access-group NodeA_Out2In in interface outside
::: Node B :::
name 192.168.47.131 NodeB_DNS_server name 192.168.81.0 NodeA_Net
: inwards from NodeA access-list NodeB_Out2In permit udp NodeA_Net 255.255.255.0 host NodeB_DNS_server eq domain
: outwards toward NodeA
access-list NodeB_In2Out permit udp host NodeB_DNS_server eq domain NodeA_Net
255.255.255.0access-group NodeB_Out2In in interface outside access-group NodeB_In2Out in interface inside
name 192.168.81.46 LoggerHost
logging on logging timestamp logging host inside LoggerHost logging trap informational logging buffered informational
If LoggerHost is a Linux or Solaris system, then you will need to specifically configure syslogd to be permitted to receive syslog packets from the PIX.
Note: if your public address space is more than a handful of IPs wide, you will likely find that your "attack log" is nearly useless, because the volume of attacks will overwhelm you unless you have tools to filter out the harder attacks from the routine attacks that go on all the time. Even if you have only one public IP, you will find that your first attack will arrive within literally seconds.
Every once in a while, someone does a test by putting an unprotected stock Windows machine on the network and timing how long until it is taken over. The last result I heard was "less than 2 seconds".
On Monday of this week alone, we recorded 2.9 million log entries over our 780 public IPs, which works out to an average of 1 every 24 seconds per IP (except for various technical reasons, it's more like 1 every 18 seconds per IP.) For a single public IP, that'd come out as 4800 entries per day... times 2 because you have one public IP at each endpoint. Are you equipped to be able to analyze ten thousand log entries per day?
Thanks Laurie. I guess that should get me started for this sunday.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.