Hi,
Looks like the PIX is not under any 'overuse' situation when you captured the info/stats.
The session has 169 active connection and maximum recorded was 572 (under 'sh conn'):
169 in use, 572 most used
Do you still have similar problem when you captured the stats today? I do not see any sign of max conn of 25,000 happening here. Maybe it is best to capture the info when the PIX started to show sign of 'degraded performance'.
What you need to do is to console in and capture those info again (or use PDM).
In the meantime, you can probably apply the anti-spoofing feature and IDS to monitor and prevent undesired access/attack using the following config:
ip verify reverse-path interface outside --> anti spoofing
ip audit name Monitor info action alarm --> IDS to monitor
ip audit name Response attack action alarm drop reset --> IDS response to attack
ip audit interface outside Monitor --> apply IDS monitor to outside intf
ip audit interface outside Response --> apply IDS response to attack
Use "show ip audit count" to view the IDS stats, or show ip audit count [global | interface interface_name], and 'sh log | i IDS' to view the log entry. But you must enable your logging first.
logging on
logging buffer info
PIX has less than 60 well-known IDS signatures.
Also, you may want to remove the "access-list 2 permit icmp any any" if you don't need it. This can be manipulated by attacker and can caused your PIX to busy handled (dropping) the incoming ICMP that has no destination. You can leave the outside interface without any ACL. Use it if you need to allow outsider to access your internal servers/services.
Keep/save the log. Pls let me know the outcome.
Rgds,
AK
