From: Javier
Date: Thu Oct 24 2002 - 15:18:39 GMT-3
Hola
This behaviour of missing some hits, was a bug present in some 12.1, 12.1t
releases (it depended on the platform also). It is supposed to be corrected
if you are running 12.2, 12.2t. So for CEF, process switching, and fast
switching, the matching should work correctly now. Of course, if you
are doing multicasting routing, then it is a different history...
You have to see the 3 modes as full different code paths, so the
errors and behaviour of each mode are very different some times. like
you had 3 different IOS....
For more details, check the "Internal IOS Architectures" book from
cisco press. It is quite important to understand some bugs... :-)
Saludos
--- Sam Munzani <sam@munzani.com> escribis: > I would catch all only if
process switching is turned on. Otherwise it will
> log it only the first packet.
>
> Sam
> > Brian,
> >
> > Correct me if I'm wrong, but from my experience access-list logging
> doesn't
> > always catch all matches. Do you remember what restrictions it has?
> >
> > Regards,
> >
> > Albert
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Brian Dennis
> > Sent: Friday, October 25, 2002 1:17 AM
> > To: 'Sam Munzani'; ccielab@groupstudy.com
> > Cc: cciesecurity@yahoogroups.com
> > Subject: RE: PIX Question
> >
> >
> > If you have a router behind the PIX you can put an access-list in that
> > will log when someone goes to that particular website.
> >
> > access-list 100 permit tcp any host 198.133.219.25 eq 80 log
> > access-list 100 permit ip any any
> >
> > int fa0/0
> > description Interface to PIX
> > ip access-group 100 out
> >
> > Another option would be to just don't allow anyone to get to that
> > website and see who complains. Let them come to you ;-)
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Sam Munzani
> > Sent: Wednesday, October 23, 2002 12:43 PM
> > To: ccielab@groupstudy.com
> > Cc: cciesecurity@yahoogroups.com
> > Subject: PIX Question
> >
> > Group,
> >
> > I have PIX setup with PAT. Hiding 15000+ stations behind a few IP. We
> > are
> > getting complains from some web sites that somebody from our network
> > tried to
> > hack their server. Since it's PAT, all they can give us was Date/Time
> > when our
> > IP tried to hack their server.
> >
> > Sysloging Informational messages to a syslog server could give me enough
> > data
> > to trace this hacker in my internal network. However for 25000+
> > connections
> > it's a big overhead on PIX and syslog server.
> >
> > Does anybody have a better idea to trace it? Any ideas would be greately
> > appreciated.
> >
> > Thanks,
> > Sam
> >
>
>
>
> ------------------------ Yahoo! Groups Sponsor ---------------------~-->
> Get 128 Bit SSL Encryption!
> http://us.click.yahoo.com/JjlUgA/vN2EAA/kG8FAA/ngFolB/TM
> ---------------------------------------------------------------------~->
>
> To unsubscribe from this group, send an email to:
> cciesecurity-unsubscribe@yahoogroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
=====
--- Javier Contreras Albesa
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:56 GMT-3