Re: Novice vs Pix 501... fight!

mfaerber1 · ‎10-04-2010

Hardware:
Sun Enterprise 250 Server
Cisco Pix 501 Firewall

Hello everyone, I am brand new to what I am trying to do here, so I'd greatly appreciate any hints. I am trying to troubleshoot a problem where our website goes down almost every day. I believe the firewall is the problem because if I unplug it from the wall for a couple minutes, and plug it back in, everything will work again. We do not get a lot of traffic; I suppose hackers are possible... I'm trying to learn pix device manager 3.0, but I guess what would really help me is I could somehow see the error messages that are presumably saved somewhere right before the site goes down.

Any hints for a desperate novice? I'll post whatever info you need to help me...

Here is a possible hint: I have two Pix 501's because it was assumed that one of them may have gone bad. I'm not sure about that, but they do both do the same thing in that if I turn or bumb the power cable going into them, the VPN tunnel light will temporarily come on. This seems very suspecious to me. I have taken it apart and everything SEEMS ok...

Scott Nishimura · ‎10-04-2010

hello.

You will probably want to turn on logging to a syslog server. This will basically send the log messages to the server which you can review at a later time. I'm not sure what version you are running on the pix 501, but i will send you the link for the 6.x config guide.

Syslog set up on pix 6.x:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1119533

You can google search for kiwi syslog and download that syslog server for free.

regards,

scott

mfaerber1 · ‎10-05-2010

Thank you Scott, yes, I am running the pix on v6.3.

Logging is already enabled. The PIX error file only contains about six entries from a few months ago. The Pix warning file contains hundreds of entries from today back to August.

There seems to really only be three types of warning entries, here are some censored examples of them:

Aug 13 16:09:46 [XXX.XXX.X.X.X.X] Aug 13 2010 14:46:39: %PIX-4-106023: Deny udp src outside:XXX.XXX.XXX.XX/XXXX dst inside:XXX.X.XX.XX/XXXX by access-group "acl_out"

Aug 13 16:56:57 [XXX.XXX.X.X.X.X] Aug 13 2010 15:33:49: %PIX-4-411001: Line protocol on Interface outside, changed state to up

Aug 13 16:56:57 [XXX.XXX.X.X.X.X] Aug 13 2010 15:33:49: %PIX-4-411001: Line protocol on Interface inside, changed state to up

Unfortunately, I don't see any entries anywhere that suggest that the site was, or was going, down...

mfaerber1 · ‎10-05-2010

I've learned that 106023 can indicate port scanning. So, I've been plugging IP addresses into reverse-DNS lookup website and low-and-behold, some of the IP's are in China.

UPDATE

Between Aug 13 and today, there are 700 IPs that were logged in the PIX warning file under %PIX-4-106023. Of them, only 175 are unique. The vast majority of these are from China, the rest are from many other countries.

mfaerber1 · ‎10-05-2010

So, the IDS Policy section has two custom entries in it, one for information, and other other for attacks. Thing is, they are both only set to "alarm." So I will try changing them both to also include "drop" and "reset." Maybe this is the, if not part of my problem?

mfaerber1 · ‎10-07-2010

So, the power supply connector on the PIX board is definately a part of the problem. If you gently twist the plug in the connector, or otherwise bump it, the VPN tunnel light will go on, several lights will start flashing, and the connection will start going in and out.

I wonder if anyone has had this problem with their PIXs?