×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Should I block packet at Edge Router or Firewall? (Prefilter?)

Unanswered Question
Mar 18th, 2003
User Badges:

I'm filtering traffic on my edge router to relieve the load on my PIX. Should I bother? I started filtering out traffic to port 137-139 and to 445, since then people have complained of slower access to the internet.


My Edge Router is:


CPU utilization for five seconds: 20%/20%; one minute: 23%; five minutes: 29%


Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-I-M), Version 12.1(2)T, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2000 by cisco Systems, Inc.

Compiled Tue 16-May-00 15:15 by ccai

Image text-base: 0x80008088, data-base: 0x80865F64

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

uptime is 13 weeks, 6 days, 20 hours, 41 minutes

System returned to ROM by power-on

System image file is "flash:c2600-i-mz.121-2.T"

cisco 2621 (MPC860) processor (revision 0x600) with 44032K/5120K bytes of memory.

Processor board ID JAD05330C0L (3699876051)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

2 FastEthernet/IEEE 802.3 interface(s)

2 Serial network interface(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)


My PIX is:


CPU utilization for 5 seconds = 1%; 1 minute: 0%; 5 minutes: 1%


Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.0(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

up 49 days 18 hours

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0050.54fe.ef68, irq 10

1: ethernet1: address is 0050.54fe.ef69, irq 7

2: ethernet2: address is 0002.b3ad.7fda, irq 9

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 3

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Tue, 03/18/2003 - 15:00
User Badges:
  • Cisco Employee,

Why bother, let the firewall do its job, and let the router route packets.

stownsend Tue, 03/18/2003 - 15:09
User Badges:

I guess I'll have to increase the alarm threshold on the logger. Its set to alarm if there are 3000 log events within an hour.


Is 3000 an hour quite a bit or?


Thanks,

Scott<-

gfullage Thu, 03/20/2003 - 15:07
User Badges:
  • Cisco Employee,

Depends what level you're logging at. If yo ulog down to debugging, which will show you every connection creation and deletion, plus every URL that people go to, then no, I wouldn't say 3000 an hour is huge for a busy network.

stownsend Thu, 03/20/2003 - 17:10
User Badges:

This is what I'm Logging:

logging trap warnings


So its not logging the connections and URLs.


Here are the Stats on the Access List for the Edge Router, these are from Late Monday eveing.


deny tcp any 192.168.1.0 0.0.0.255 eq telnet

deny udp any 192.168.1.0 0.0.0.255 eq 23

deny tcp any 192.168.1.0 0.0.0.255 eq 137

deny tcp any 192.168.1.0 0.0.0.255 eq 138

deny tcp any 192.168.1.0 0.0.0.255 eq 139 (3644 matches)

deny udp any 192.168.1.0 0.0.0.255 eq netbios-dgm (6 matches)

deny udp any 192.168.1.0 0.0.0.255 eq netbios-ns (178610 matches)

deny udp any 192.168.1.0 0.0.0.255 eq netbios-ss

deny tcp any 192.168.1.0 0.0.0.255 eq 445 (52464 matches)

deny udp any 192.168.1.0 0.0.0.255 eq 445

deny tcp any 192.168.1.0 0.0.0.255 eq 1433 (2975 matches)

deny tcp any 192.168.1.0 0.0.0.255 eq 1434 (904 matches)

deny udp any 192.168.1.0 0.0.0.255 eq 1433

deny udp any 192.168.1.0 0.0.0.255 eq 1434 (11275 matches)

deny tcp any 192.168.1.0 0.0.0.255 eq 6346 (118449 matches)

deny udp any 192.168.1.0 0.0.0.255 eq 6346 (4 matches)

deny tcp any 192.168.1.0 0.0.0.255 eq 6347

deny udp any 192.168.1.0 0.0.0.255 eq 6347

deny icmp any 0.0.0.0 255.255.255.0 (187 matches)

deny icmp any 0.0.0.255 255.255.255.0 (232 matches)

deny icmp any any redirect (13 matches)

deny ip 10.0.0.0 0.255.255.255 any (26012 matches)

deny ip 172.16.0.0 0.15.255.255 any (2024 matches)

deny ip 192.168.0.0 0.0.255.255 any (4885 matches)

deny ip 224.0.0.0 31.255.255.255 any

deny ip 0.0.0.0 0.255.255.255 any (18 matches)

deny ip 127.0.0.0 0.255.255.255 any

deny ip 255.0.0.0 0.255.255.255 any

deny ip host 0.0.0.0 any

permit ip any any (92906390 matches)



Just seems like the netbios-ns microsoft-ds (445) and some others are pretty high.


Thanks,

Scott<-

Actions

This Discussion