Re: PIX Question

From: Sam Munzani (sam@munzani.com)
Date: Thu Oct 24 2002 - 14:26:01 GMT-3

• Next message: Chris Cole: "DO NOT OPEN the e-mail Card it a virus....."
• Previous message: Horne, Bob: "RE: BGP route selection question"
• Maybe in reply to: Sam Munzani: "PIX Question"
• Next in thread: Sam Munzani: "Re: PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I would catch all only if process switching is turned on. Otherwise it will log it only the first packet.

Sam
> Brian,
>
> Correct me if I'm wrong, but from my experience access-list logging doesn't
> always catch all matches. Do you remember what restrictions it has?
>
> Regards,
>
> Albert
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Brian Dennis
> Sent: Friday, October 25, 2002 1:17 AM
> To: 'Sam Munzani'; ccielab@groupstudy.com
> Cc: cciesecurity@yahoogroups.com
> Subject: RE: PIX Question
>
>
> If you have a router behind the PIX you can put an access-list in that
> will log when someone goes to that particular website.
>
> access-list 100 permit tcp any host 198.133.219.25 eq 80 log
> access-list 100 permit ip any any
>
> int fa0/0
> description Interface to PIX
> ip access-group 100 out
>
> Another option would be to just don't allow anyone to get to that
> website and see who complains. Let them come to you ;-)
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Sam Munzani
> Sent: Wednesday, October 23, 2002 12:43 PM
> To: ccielab@groupstudy.com
> Cc: cciesecurity@yahoogroups.com
> Subject: PIX Question
>
> Group,
>
> I have PIX setup with PAT. Hiding 15000+ stations behind a few IP. We
> are
> getting complains from some web sites that somebody from our network
> tried to
> hack their server. Since it's PAT, all they can give us was Date/Time
> when our
> IP tried to hack their server.
>
> Sysloging Informational messages to a syslog server could give me enough
> data
> to trace this hacker in my internal network. However for 25000+
> connections
> it's a big overhead on PIX and syslog server.
>
> Does anybody have a better idea to trace it? Any ideas would be greately
> appreciated.
>
> Thanks,
> Sam

• Next message: Chris Cole: "DO NOT OPEN the e-mail Card it a virus....."
• Previous message: Horne, Bob: "RE: BGP route selection question"
• Maybe in reply to: Sam Munzani: "PIX Question"
• Next in thread: Sam Munzani: "Re: PIX Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:56 GMT-3