03-18-2003 11:29 AM - edited 03-09-2019 02:34 AM
I'm filtering traffic on my edge router to relieve the load on my PIX. Should I bother? I started filtering out traffic to port 137-139 and to 445, since then people have complained of slower access to the internet.
My Edge Router is:
CPU utilization for five seconds: 20%/20%; one minute: 23%; five minutes: 29%
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.1(2)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Tue 16-May-00 15:15 by ccai
Image text-base: 0x80008088, data-base: 0x80865F64
ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
uptime is 13 weeks, 6 days, 20 hours, 41 minutes
System returned to ROM by power-on
System image file is "flash:c2600-i-mz.121-2.T"
cisco 2621 (MPC860) processor (revision 0x600) with 44032K/5120K bytes of memory.
Processor board ID JAD05330C0L (3699876051)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
My PIX is:
CPU utilization for 5 seconds = 1%; 1 minute: 0%; 5 minutes: 1%
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(1)
Compiled on Fri 07-Jun-02 17:49 by morlee
up 49 days 18 hours
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 0050.54fe.ef68, irq 10
1: ethernet1: address is 0050.54fe.ef69, irq 7
2: ethernet2: address is 0002.b3ad.7fda, irq 9
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
03-18-2003 03:00 PM
Why bother, let the firewall do its job, and let the router route packets.
03-18-2003 03:09 PM
I guess I'll have to increase the alarm threshold on the logger. Its set to alarm if there are 3000 log events within an hour.
Is 3000 an hour quite a bit or?
Thanks,
Scott<-
03-20-2003 03:07 PM
Depends what level you're logging at. If yo ulog down to debugging, which will show you every connection creation and deletion, plus every URL that people go to, then no, I wouldn't say 3000 an hour is huge for a busy network.
03-20-2003 05:10 PM
This is what I'm Logging:
logging trap warnings
So its not logging the connections and URLs.
Here are the Stats on the Access List for the Edge Router, these are from Late Monday eveing.
deny tcp any 192.168.1.0 0.0.0.255 eq telnet
deny udp any 192.168.1.0 0.0.0.255 eq 23
deny tcp any 192.168.1.0 0.0.0.255 eq 137
deny tcp any 192.168.1.0 0.0.0.255 eq 138
deny tcp any 192.168.1.0 0.0.0.255 eq 139 (3644 matches)
deny udp any 192.168.1.0 0.0.0.255 eq netbios-dgm (6 matches)
deny udp any 192.168.1.0 0.0.0.255 eq netbios-ns (178610 matches)
deny udp any 192.168.1.0 0.0.0.255 eq netbios-ss
deny tcp any 192.168.1.0 0.0.0.255 eq 445 (52464 matches)
deny udp any 192.168.1.0 0.0.0.255 eq 445
deny tcp any 192.168.1.0 0.0.0.255 eq 1433 (2975 matches)
deny tcp any 192.168.1.0 0.0.0.255 eq 1434 (904 matches)
deny udp any 192.168.1.0 0.0.0.255 eq 1433
deny udp any 192.168.1.0 0.0.0.255 eq 1434 (11275 matches)
deny tcp any 192.168.1.0 0.0.0.255 eq 6346 (118449 matches)
deny udp any 192.168.1.0 0.0.0.255 eq 6346 (4 matches)
deny tcp any 192.168.1.0 0.0.0.255 eq 6347
deny udp any 192.168.1.0 0.0.0.255 eq 6347
deny icmp any 0.0.0.0 255.255.255.0 (187 matches)
deny icmp any 0.0.0.255 255.255.255.0 (232 matches)
deny icmp any any redirect (13 matches)
deny ip 10.0.0.0 0.255.255.255 any (26012 matches)
deny ip 172.16.0.0 0.15.255.255 any (2024 matches)
deny ip 192.168.0.0 0.0.255.255 any (4885 matches)
deny ip 224.0.0.0 31.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any (18 matches)
deny ip 127.0.0.0 0.255.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
permit ip any any (92906390 matches)
Just seems like the netbios-ns microsoft-ds (445) and some others are pretty high.
Thanks,
Scott<-
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: