Any Cisco PIX pros here?

Harbinger · 03-07-2006, 06:45 PM

Lately our partial DS3 in the Toronto office is getting saturated with traffic. I can view the traffic and bandwidth usage in the PDM but it doesn't show me the internal ip's that are generating the traffic. For that I use the CLI and turn on level 6 logging. I take the output from that, paste in into a file and can then grep the results. Is there an easy way to look for p2p traffic? Only way I know now is to grep for the known port numbers. Most torrent clients and p2p apps let you change the default port or do it on their own. I know we can block certain apps but we're an ad agency and need to allow some traffic for the creatives.

I have some tools at my disposal but they aren't perfect. Is there an easy way in Ethereal for me to do this? Either with a packet sniffer or the PIX logs I need to see who or what is sucking up most of our bandwidth. So... if anyone knows of a way to do this, great! Any Mac, Nix or Windows apps that will work are also an option. It doesn't have to be freeware but preferably nothing to expensive.

Thanks in advance to any one that can offer some advice.

Drakken · 03-07-2006, 10:13 PM

I'll talk with the other guys in the tech dept I work with and see if we have done something like that already.

LoPo · 03-08-2006, 09:41 AM

build a syslog box and utilize a tool to analyze the traffic.

Here is a free one that will allow you to see which IP is the offender.
http://www.aboutmyip.com/AboutMyXApp/SyslogJunction.jsp

Here is a Windows Syslog Daemon - Works well - ive used it in the past before switching the syslog box to SUSE.

http://www.kiwisyslog.com/products.htm

Also, do you have a default deny rule in place? or is it a free for all to the net?

You ought to consider a MS ISA box behind the PIX, your current problem wouldn't even be an issue.

Harbinger · 03-08-2006, 11:31 AM

Quote:

Originally Posted by LoPo

build a syslog box and utilize a tool to analyze the traffic.

Here is a free one that will allow you to see which IP is the offender.
http://www.aboutmyip.com/AboutMyXApp/SyslogJunction.jsp

Here is a Windows Syslog Daemon - Works well - ive used it in the past before switching the syslog box to SUSE.

http://www.kiwisyslog.com/products.htm

Also, do you have a default deny rule in place? or is it a free for all to the net?

You ought to consider a MS ISA box behind the PIX, your current problem wouldn't even be an issue.

Thanks LoPo,

Syslog junction looks promising.

We have some deny rules in place but being an ad agency we can't block a lot of traffic. Trust me I wish we could. Besides apps like limewire will go out over port 80 and we obviously can't block 80 or 8080.

I have an ISA server already that we use to authenticate to the PIX for the Cisco VPN. It sits out side the Firewall though.

LoPo · 03-08-2006, 11:47 AM

Harb,
You can configure the ISA box(as long as the outbound traffic from the PIX is passing through it) to filter for P2P apps that go over 80/8080. That's ISA's bread and butta.

Let me know how the syslog analysis goes.

Harbinger · 03-08-2006, 12:00 PM

Cool! Thanks I'll have to run this by the sys admin. I doubt we'll block p2p though... AN ad agency can be a strange place to be a network admin =\

Mac · 03-08-2006, 03:32 PM

Oh man been a LONG time but...... Lopo has most of what I would point too but there is a better way just for some stupid reason I can't remember exactly what the Mib/OID's were for looking at that.. We had something Setup with MRTG on a Linux box and it was setup initial to monitor and graph the high sides of the Switches once a thresehold was established it would capture ports and start another program and look at everything on those ports.. I will have to see if the company I work for still has the writeup for them. I no longer work there but I have some Moles that I can hit up for help if they still are on that project.
It worked great and would output all the IP stuff as well as location address and port ID's It was cool. I know we also tried doing it with a early version of Intermapper on a Mac but you couldnt get any detail on what people were doing, it would just give Line Utilization and Up/Down State.

LoPo · 03-08-2006, 03:39 PM

I've used PRTG and will offer the same info and do all the configuration for you. You can download a free trial and its pretty cheap for a same amount of nodes. http://www.paessler.com/prtg

Mac · 03-08-2006, 03:48 PM

PRTG was great if you like the auto setup but, its trial version Sucks you only really get one node and thats even limited. Plus you have to pay for the program MRTG is Free but, a REAL bear to setup. I remember many late nights infront of a machine trying to get some MRTG stuff to work and bust and smash keyboards in the end..

LoPo · 03-08-2006, 05:02 PM

Which is why I recommended PRTG, it's cheap and simple…...

You can get 30 days full featured, free. Afterwhich it reverts to the freeware edition and you have 3 sensors.

Sounds like he has a single PIX anyways, so 3 sensors should be fine. He can buy it for $62.50 for the software and year of support.
$63 is a better deal than trying to configure MRTG.