cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
0
Helpful
4
Replies

Should I block packet at Edge Router or Firewall? (Prefilter?)

stownsend
Level 2
Level 2

I'm filtering traffic on my edge router to relieve the load on my PIX. Should I bother? I started filtering out traffic to port 137-139 and to 445, since then people have complained of slower access to the internet.

My Edge Router is:

CPU utilization for five seconds: 20%/20%; one minute: 23%; five minutes: 29%

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-I-M), Version 12.1(2)T, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2000 by cisco Systems, Inc.

Compiled Tue 16-May-00 15:15 by ccai

Image text-base: 0x80008088, data-base: 0x80865F64

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

uptime is 13 weeks, 6 days, 20 hours, 41 minutes

System returned to ROM by power-on

System image file is "flash:c2600-i-mz.121-2.T"

cisco 2621 (MPC860) processor (revision 0x600) with 44032K/5120K bytes of memory.

Processor board ID JAD05330C0L (3699876051)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

2 FastEthernet/IEEE 802.3 interface(s)

2 Serial network interface(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

My PIX is:

CPU utilization for 5 seconds = 1%; 1 minute: 0%; 5 minutes: 1%

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.0(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

up 49 days 18 hours

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0050.54fe.ef68, irq 10

1: ethernet1: address is 0050.54fe.ef69, irq 7

2: ethernet2: address is 0002.b3ad.7fda, irq 9

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 3

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

Why bother, let the firewall do its job, and let the router route packets.

I guess I'll have to increase the alarm threshold on the logger. Its set to alarm if there are 3000 log events within an hour.

Is 3000 an hour quite a bit or?

Thanks,

Scott<-

Depends what level you're logging at. If yo ulog down to debugging, which will show you every connection creation and deletion, plus every URL that people go to, then no, I wouldn't say 3000 an hour is huge for a busy network.

This is what I'm Logging:

logging trap warnings

So its not logging the connections and URLs.

Here are the Stats on the Access List for the Edge Router, these are from Late Monday eveing.

deny tcp any 192.168.1.0 0.0.0.255 eq telnet

deny udp any 192.168.1.0 0.0.0.255 eq 23

deny tcp any 192.168.1.0 0.0.0.255 eq 137

deny tcp any 192.168.1.0 0.0.0.255 eq 138

deny tcp any 192.168.1.0 0.0.0.255 eq 139 (3644 matches)

deny udp any 192.168.1.0 0.0.0.255 eq netbios-dgm (6 matches)

deny udp any 192.168.1.0 0.0.0.255 eq netbios-ns (178610 matches)

deny udp any 192.168.1.0 0.0.0.255 eq netbios-ss

deny tcp any 192.168.1.0 0.0.0.255 eq 445 (52464 matches)

deny udp any 192.168.1.0 0.0.0.255 eq 445

deny tcp any 192.168.1.0 0.0.0.255 eq 1433 (2975 matches)

deny tcp any 192.168.1.0 0.0.0.255 eq 1434 (904 matches)

deny udp any 192.168.1.0 0.0.0.255 eq 1433

deny udp any 192.168.1.0 0.0.0.255 eq 1434 (11275 matches)

deny tcp any 192.168.1.0 0.0.0.255 eq 6346 (118449 matches)

deny udp any 192.168.1.0 0.0.0.255 eq 6346 (4 matches)

deny tcp any 192.168.1.0 0.0.0.255 eq 6347

deny udp any 192.168.1.0 0.0.0.255 eq 6347

deny icmp any 0.0.0.0 255.255.255.0 (187 matches)

deny icmp any 0.0.0.255 255.255.255.0 (232 matches)

deny icmp any any redirect (13 matches)

deny ip 10.0.0.0 0.255.255.255 any (26012 matches)

deny ip 172.16.0.0 0.15.255.255 any (2024 matches)

deny ip 192.168.0.0 0.0.255.255 any (4885 matches)

deny ip 224.0.0.0 31.255.255.255 any

deny ip 0.0.0.0 0.255.255.255 any (18 matches)

deny ip 127.0.0.0 0.255.255.255 any

deny ip 255.0.0.0 0.255.255.255 any

deny ip host 0.0.0.0 any

permit ip any any (92906390 matches)

Just seems like the netbios-ns microsoft-ds (445) and some others are pretty high.

Thanks,

Scott<-

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: