Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Finding the source ip of unwanted traffic on a PIX506e

Hi all,

I need to find the originating ip for ssh probe traffic.

An outside firm sent us this:

Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source

Port, Event Count

EventRecord: 20 Oct 2006 11:05:27, 81.3.x.x, 6, 22, SSH Probe, 34194, 168

EventRecord: 20 Oct 2006 11:05:21, 81.3.x.x, 6, 22, SSH Probe, 33977, 168

EventRecord: 20 Oct 2006 11:05:13, 81.3.x.x, 6, 22, SSH Probe, 33703, 168

EventRecord: 20 Oct 2006 11:05:10, 81.3.x.x, 6, 22, SSH Probe, 33620, 168

EventRecord: 20 Oct 2006 11:05:09, 81.3.x.x, 6, 22, SSH Probe, 33563, 168

EventRecord: 20 Oct 2006 11:04:01, 81.3.x.x, 6, 22, SSH Probe, 31215, 6

EventRecord: 20 Oct 2006 11:04:01, 81.3.x.x, 6, 22, SSH Probe, 31206, 9

It is traced back by them to the outside ip address of the pix.

Now I need to find which machine is responsible for this behaviour.

Any thoughts?

Regards

Wouter

3 REPLIES
Bronze

Re: Finding the source ip of unwanted traffic on a PIX506e

Try this cmd pixfirewall(config)# show conn

It is used to display all active connections on the PIX.

show conn [detail] [count] [foreign | local ip [-ip2]] [netmask mask] [protocol tcp | udp |

protocol] [fport | lport port1 [-port2]] [state [up [,finin] [,finout] [,http_get] [,sip]

[,smtp_data] [,smtp_banner] [,smtp_incomplete] [,nojava] [,data_in] [,data_out] [,sqlnet_fixup_data]

[,conn_inbound] [,rpc] [,h323] [,dump]]

Displays the number of, and information about, the active connections for the options specified.

If there is many traffic on your network and you don't want to run the debug for all the packets on a certain interface, then we can specify the Source and Destination of the packets that we want to see on the debug.

Syntaxis:

debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] |

[proto tcp [sport src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] [rx

| tx | both]

Example:

pix(config)#debug packet inside src 10.0.0.2 dst 172.2.2.2 proto tcp sport 80 dport 80 both

Try this link

http://www.cisco.com/warp/public/110/pixperformance.html#showtraffic

New Member

Re: Finding the source ip of unwanted traffic on a PIX506e

Thanks for the feedback.

I had been fooling around with the debug command, but this only provided me with a short time span output.

Since I don't have the details on when the probes are sent, longer observation might be necessary.

Now I'm thinking logging has to be sent to another machine.

Source and destination ip would be nice, but that info is not available to me. I have had 4 complaints so far, only 1 has provided me with a complete ip address.

I'm gonna dig into AAA logging for now, see what that can do for me.

New Member

Re: Finding the source ip of unwanted traffic on a PIX506e

i agree beth martin. you should follow him.

97
Views
2
Helpful
3
Replies