Hi All, we recently had an issue with a virus exploting SMTP port 25 and sending out spam. Since then I have created an access-list on the inside of our PIX 515 to deny SMTP. Since we have a multisite WAN with one Internet circuit I had to stick the access list on the pix rather than the site routers since I did not know where it was comming from.
I see a lot of hitcnt's from this access-list I created and would like to track down the IP's of the host. If I do a show logging on the PIX I get a ton of info and its hard to narrow it down. Is there a more specific log level I can enable or does someone else have a better recommendation to tracking down the host(s)?
Syslog is the way to go to make it easier for you to know where there are offenders.
However I would like to add that if the WAN links does get overwhelmed you can set the access-list on the inbound local interfaces of the routers on the far end and configure them for syslog also and use the same syslog server to monitor the events or if it is realy bad and you have good enough switches you can set the access-list on the inbound traffic at the ports of the switches, but thats just incase there is a huge load of traffic
just beware that if you send a syslog everytime the access-list gets hit then that volume in itself might bog down the wan links.
This is great info thanks guys! One other question if I decide to send log messages to a syslog server how would I go about just sending either the specific ACL or at least all ACL hits. I tried this and the pix is sending log messages but, it seems that I can get it to filter the specified logs its sending based on severity levels which again is quite a lot of messages
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :