Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Possibly Being Hacked ?????

Status
Not open for further replies.

Jhall0326

IS-IT--Management
Feb 4, 2002
22
US
I have PIX515 with OS 5.0(3). Periotically I have one of over 100 users will be unable to get to the Internet. All other internal LAN works okay and IP is the only protocol. To fix the problem, I have to change the IP address of the PC and exclude that address from the DHCP scope. This happens once every two or three weeks and periotically I am able to remove the exclusions and begin using those addresses again.

This sounds suspicious to me. I was curious if someone was getting in and grabbing an internal 172.16.X.X address.

I have begun capturing logs but I am not sure what to look for.

Also I am getting ready to upgrade the OS on the PIX and when I do a "sh ver", I can see how much memory I have but nothing mentioned about the flash memory. How do I find out how much flash memory is installed.


Any help is appreciated.

Thanks,

 
If you could post your config here that would help us be able to help you better.

Secondly, if you do a show version (sh ver) that will tell you how much memory and flash you have on the box.

 
HavanaJoe - Thanks for the suggestion but, being a financial institution makes releasing our firewall config a breach of our security policy. I was just curious if anyone had ever heard of this happening. Not being too familiar with the PIX, I was curious if possibly someone is coming in through the firewall and grabbing an internal address in kind of a reverse NAT or is there some kind of traffic that the firewall is seeing that is causing it to block access to the Internet for that host.

More details that I forgot to include: It is a random user and random IP address that is effected each time it occurs.

For some reason, the show version tells me how much memory is installed but I don't see anything saying how much flash ram is installed.

Thanks again for your suggestions.

 
FYI
Reverse NAT or bidirectional NAT as called by cisco is supported on 6.2 only.
 
Are you sure this isn't a inside problem. Check your DHCP server event logs for errors. Also, you do have an unlimited PIX connection license. If it runs out of connections, it won't let you through. By the time you give it a static IP address connections have opened up.

When they can't get to the Internet, are they not getting a DHCP address too. That would mean they can't get to anything on the network. I don't think this is a PIX issue.

Your DHCP should give the MAC address of the device that is grabbing the IP address if it is another device. Show arp to see the MAC address and start tracking it down.

*J*
 
HI.

It seems like a "regular" problem and not like an attack.
Try the suggestions of "jyschaefer", and also this one:
Look at the "global (outside)" command at your pix configuration.
Do you have a range of addresses (NAT), a single one (PAT), or both?
Try to use PAT only (single address), then issue "clear xlate" and see if this prevents the problem.

Bye
Yizhar Hurwitz
 
Jacare - I have been using Kiwi now for a couple of weeks. I have logging set to debugging jsut to make sure I get everything but there has been no occurance since then.

jyschaefer - We are not using DHCP at all of our remote locations (which are connected via T1 to this location). Several are still static and the problem seems to occur there as well. When a user experiences the problem, they are still able to access all internal network resources. They just can't get to the Internet and it will last for days if we don't correct it. Assigning them a new IP address will correct the problem.

Update - I have successfully updated to OS version 6.1.4. I will see if this helps at all and I will try the suggestions.

Thanks for the help everyone.
 
Sounds like an internal IP address conflict to me. Is the affected computer able to communicate w/ any hosts inside the network other than the PIX?
 
Do you have any other Internet proxy that they are going through before getting to the pix? *J*
 
jyschaefer - No other proxy. All remote locations are connected through Cisco 2501 routers and T1 lines.

baddos - Not an IP address conflict since the user is able to access all other network resources when the problem occurs. They just aren't getting past the firewall. Random user, Random IP address, random location, Random time frame. There is no discernable pattern.

Thanks for your suggestions,
 
Next time this happens try a ping and traceroute from the PC to a host on the Internet. Make sure it is getting to the firewall. Is the DNS server on the inside network? Do you have a secondary server defined on PC's or do you let the DNS server forward requests?

Also, just to make sure you have plenty of licenses on your PIX, do a show conn and at the very top it should give you current # of connections and then the max used connections. I think a show ver will tell you if you have an unlimited license or limited to xxx connections.
*J*
 
This sounds like an xlate issue, you may need to reduce the time-out for xlate. To view the xlate table type sho xlate which will show you if the pix is mapping the internal IP to a routable IP in the Global list.

To verify this is the problem, next time this happens type clear xlate then try to connect again.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top