Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anti-DOS options?

Applied the following "open" configuration, and all seemed to be well. Then started experiencing problems logging onto a Windows 2000 domain (on vlan-7) from all vlan-x interfaces. The login problems were sporadic: the same users would have success on one machine, then failure. What does this have to do with FWSM, you ask?

We were running Nessus and ISS scans during the process. Is there default behavior in place on FWSM/PIX that would take an interface down for a brief interval, perhaps if a DOS attack were detected?

FWSM Version 1.1(2)

no gdb enable

nameif vlan11 vlan-11 security10

nameif vlan2 vlan-2 security20

nameif vlan3 vlan-3 security50

nameif vlan4 vlan-4 security80

nameif vlan5 vlan-5 security30

nameif vlan7 vlan-7 security90

nameif vlan8 vlan-8 security40

nameif vlan9 vlan-9 security0

nameif vlan6 inside security100

hostname FWSM

fixup protocol ftp 21

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol http 80

no names

access-list vlan-11 permit icmp any any

access-list vlan-11 permit ip any any

access-list vlan-2 permit icmp any any

access-list vlan-2 permit ip any any

access-list vlan-3 permit icmp any any

access-list vlan-3 permit ip any any

access-list vlan-4 permit icmp any any

access-list vlan-4 permit ip any any

access-list nat-11 permit ip any any

access-list nat-2 permit ip any any

access-list nat-3 permit ip any any

access-list nat-4 permit ip any any

access-list nat-5 permit ip any any

access-list nat-7 permit ip any any

access-list nat-8 permit ip any any

access-list nat-9 permit ip any any

access-list nat-inside permit ip any any

access-list vlan-5 permit icmp any any

access-list vlan-5 permit ip any any

access-list vlan-7 permit icmp any any

access-list vlan-7 permit ip any any

access-list vlan-8 permit icmp any any

access-list vlan-8 permit ip any any

access-list vlan-9 permit icmp any any

access-list vlan-9 permit ip any any

access-list vlan-inside permit icmp any any

access-list vlan-inside permit ip any any

no pager

logging on

logging timestamp

logging console emergencies

logging monitor alerts

logging trap informational

logging history informational

logging host inside 192.168.6.3

icmp permit any vlan-11

icmp permit any vlan-2

icmp permit any vlan-3

icmp permit any vlan-4

icmp permit any vlan-5

icmp permit any vlan-7

icmp permit any vlan-8

icmp permit any vlan-9

icmp permit any inside

mtu vlan-11 1500

mtu vlan-2 1500

mtu vlan-3 1500

mtu vlan-4 1500

mtu vlan-5 1500

mtu vlan-7 1500

mtu vlan-8 1500

mtu vlan-9 1500

mtu inside 1500

ip address vlan-11 192.168.1.254 255.255.255.0

ip address vlan-2 192.168.2.254 255.255.255.0

ip address vlan-3 192.168.3.254 255.255.255.0

ip address vlan-4 192.168.4.254 255.255.255.0

ip address vlan-5 192.168.5.254 255.255.255.0

ip address vlan-7 192.168.7.254 255.255.255.0

ip address vlan-8 192.168.8.254 255.255.255.0

ip address vlan-9 30.0.0.254 255.255.255.0

ip address inside 192.168.6.254 255.255.255.0

no failover

arp timeout 14400

nat (vlan-11) 0 access-list nat-11

nat (vlan-2) 0 access-list nat-2

nat (vlan-3) 0 access-list nat-3

nat (vlan-4) 0 access-list nat-4

nat (vlan-5) 0 access-list nat-5

nat (vlan-7) 0 access-list nat-7

nat (vlan-8) 0 access-list nat-8

nat (vlan-9) 0 access-list nat-9

nat (inside) 0 access-list nat-inside

access-group vlan-11 in interface vlan-11

access-group vlan-2 in interface vlan-2

access-group vlan-3 in interface vlan-3

access-group vlan-4 in interface vlan-4

access-group vlan-5 in interface vlan-5

access-group vlan-7 in interface vlan-7

access-group vlan-8 in interface vlan-8

access-group vlan-9 in interface vlan-9

access-group vlan-inside in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

: end

1 REPLY
Cisco Employee

Re: Anti-DOS options?

To the best of my knowledge, there is no such thing where FWSM/PIX will bring down an interface upon a DoS attack or similar.

You can check this with 'show interface' to see if the "interface resets" counter has incremented. If so, the DoS might might have caused the interface to seize, max-out...etc.

Hope that helps.

Yusuf

134
Views
0
Helpful
1
Replies
CreatePlease login to create content