Re: unusual PAT activity in PIX 520

gordons · ‎07-24-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

We use an old PIX 520 for our outbound user traffic, and yesterday we experienced a severe slowdown, which I was able to narrow down to this PIX.

xx.x.xxx.62 is obviously the PAT address,

xxx.xxx.xxx.1 is our internal DNS server, and

xxx.xxx.xxx.2 is our internal DHCP server.

I ran a "show xlate", and saw this output:

txpix001# sh xlate count

PAT Global xx.x.xxx.62(28551) Local 10.0.10.2

nconns 0 embryonic conns 0

PAT Global xx.x.xxx.62(28503) Local xxx.xxx.xxx.1

nconns 0 embryonic conns 0

out xxx.xxx.xx.201:11656 in xxx.xxx.xxx.1:1091 idle 0:01:30 flags 0x0 - UDP

PAT Global xx.x.xxx.62(28552) Local xxx.xxx.xxx.2

nconns 0 embryonic conns 0

out xxx.xx.xxx.11:11702 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xx.xxx.xxx.102:3499 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.11:5540 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.10:11702 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xx.xxx.xxx.102:9630 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.11:7568 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.11:3466 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.11:1408 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xx.xxx.xxx.103:3499 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xx.xxx.xxx.102:9596 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xx.xxx.xxx.102:1396 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.11:1384 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xx.xxx.xxx.103:9630 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.10:7568 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.10:3466 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.10:1408 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.11:9568 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xx.xxx.xxx.103:9596 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.11:9564 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xx.xxx.xxx.103:1396 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

out xxx.xx.xxx.10:1384 in xxx.xxx.xxx.2:1084 idle 0:01:30 flags 0x0 - UDP

This output does not seem normal to me. I've tried to find examples of similar output on Cisco's website, but have not any luck as yet.

Anyone here have an idea?

Thanks.

Gordon

jmia · ‎07-24-2003

Hello Gordon,

Can you post your result from - show xlate detail - please.

Also, if poss, can you post your PIX config - remembering to exclude 'real inside IPs' and passwords etc.

Thanks -

gordons · ‎07-24-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Here is the output from show xlate detail:

txpix001# sh xlate detail

PAT Global xx.x.xxx.62(29427) Local 10.0.10.200

nconns 1 embryonic conns 0

out xxx.xx.xxx.62:443 in 10.0.10.200:1140 idle 0:01:17 bytes 121249 flags UIO

PAT Global xx.x.xxx.62(29443) Local 10.0.18.27

nconns 0 embryonic conns 0

out xx.xxx.xxx.15:80 in 10.0.18.27:1093 idle 0:00:00 bytes 18046 flags fFHrIO

PAT Global xx.x.xxx.62(29426) Local 10.0.10.200

nconns 0 embryonic conns 0

out xxx.xx.xxx.121:80 in 10.0.10.200:1138 idle 0:00:09 bytes 844 flags HrRIO

PAT Global xx.x.xxx.62(29442) Local 10.0.18.27

nconns 0 embryonic conns 0

out xx.xxx.xxx.15:80 in 10.0.18.27:1092 idle 0:00:01 bytes 439 flags fFHrIO

PAT Global xx.x.xxx.62(29425) Local 10.0.10.200

nconns 0 embryonic conns 0

out xxx.xx.xxx.62:80 in 10.0.10.200:1136 idle 0:00:17 bytes 7449 flags HrRIO

PAT Global xx.x.xxx.62(29441) Local 10.0.18.27

nconns 0 embryonic conns 0

out xx.xxx.xxx.15:80 in 10.0.18.27:1089 idle 0:00:01 bytes 502 flags fFHrIO

PAT Global xx.x.xxx.62(29424) Local 10.0.10.200

nconns 0 embryonic conns 0

PAT Global xx.x.xxx.62(29440) Local 10.0.18.27

nconns 0 embryonic conns 0

out xx.xxx.xxx.15:80 in 10.0.18.27:1088 idle 0:00:01 bytes 1635 flags fFHrIO

PAT Global xx.x.xxx.62(29431) Local 10.0.10.2

nconns 0 embryonic conns 0

out xxx.xx.xxx.39:80 in 10.0.10.2:1690 idle 0:00:18 bytes 50463 flags FHrRIO

PAT Global xx.x.xxx.62(29415) Local 10.0.3.202

nconns 0 embryonic conns 0

PAT Global xx.x.xxx.62(29447) Local 10.0.3.202

nconns 0 embryonic conns 0

out xx.x.xxx.3:80 in 10.0.3.202:1077 idle 0:00:02 bytes 22583 flags fFHrIO

PAT Global xx.x.xxx.62(29430) Local 10.0.10.2

nconns 0 embryonic conns 0

out xxx.xx.xxx.39:80 in 10.0.10.2:1689 idle 0:00:36 bytes 68945 flags fFHrRIO

PAT Global xx.x.xxx.62(29414) Local 10.0.3.202

nconns 0 embryonic conns 0

PAT Global xx.x.xxx.62(29382) Local 10.0.19.28

nconns 1 embryonic conns 0

out xx.xx.xxx.204:80 in 10.0.19.28:1030 idle 0:00:59 bytes 593 flags UFHIO

PAT Global xx.x.xxx.62(29446) Local 10.0.18.27

nconns 0 embryonic conns 0

out xx.xxx.xxx.15:80 in 10.0.18.27:1096 idle 0:00:03 bytes 535 flags fFHrIO

PAT Global xx.x.xxx.62(29429) Local 10.0.3.202

nconns 0 embryonic conns 0

out xx.x.xxx.3:80 in 10.0.3.202:1076 idle 0:00:22 bytes 23465 flags fFHrRIO

PAT Global xx.x.xxx.62(29413) Local x.x.x.x nconns 0 embryonic conns 0

out xx.xxx.xx.37:15439 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.225:15439 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xx.37:15424 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.225:15424 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xx.37:5176 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.225:5176 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xx.37:9266 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.225:9266 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.226:15439 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.163:15439 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.226:15424 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.163:15424 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xx.37:5162 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.225:5162 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xx.37:7204 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.225:7204 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xx.37:11295 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.225:11295 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xx.37:11286 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.225:11286 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.226:5176 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.163:5176 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.226:9266 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.163:9266 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.164:15439 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.164:15424 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.226:5162 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.163:5162 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.226:7204 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.163:7204 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.226:11295 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.163:11295 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xx.xx.226:11286 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.163:11286 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.164:5176 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.164:9266 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xxx.102:15439 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xxx.102:15424 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.164:5162 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.164:7204 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.164:11295 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xxx.xxx.xxx.164:11286 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xxx.102:5176 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

out xx.xxx.xxx.102:9266 in x.x.x.x:1084 idle 0:00:30 flags 0x0 - UDP

-----------------------------------

Here is the config:

txpix001# sh config

: Saved

:

PIX Version 4.0.7

enable password xxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxxxx encrypted

hostname txpix001

no failover

names

syslog output 20.5

no syslog console

syslog host x.x.x.x

interface ethernet outside auto

interface ethernet inside auto

ip address inside x.x.x.x x.x.x.x

ip address outside y.y.y.y y.y.y.y

arp timeout 14400

global 1 x.x.x.x-x.x.x.x

nat 1 0.0.0.0 0.0.0.0 1000

age 10

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

route outside 0.0.0.0 0.0.0.0 xx.x.xxx.1 1

route inside 10.0.0.0 255.0.0.0 130.120.111.1 1

timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00

no snmp-server location

no snmp-server contact

telnet 10.0.10.2 255.255.255.0

telnet 10.0.10.3 255.255.255.0

telnet 10.0.10.4 255.255.255.0

mtu outside 1500

mtu inside 1500

Thanks.

jmia · ‎07-24-2003

Gordon -

Have you tried - clear xlate, and check if you are still seeing the same connections also try re-booting the PIX and check. It will be a good idea to upgrade to the latest PIX IOS as well.

Thanks - and let me know how you get on.

gordons · ‎07-24-2003

I've already tried the clear xlate and reboot.

While these entries are cleared, they show back up.

jmia · ‎07-24-2003

Hi Gordon,

Okay - the reason you are seeing those entries reappearing is because those entries were placed with a static command, so when you do clear xlate, these entries will reappear immediately. But you can be specific about the entries that you want to clear.

Do you need those entries and can you do 'sh conn' and 'sh conn detail' also can you post any static entries that you have on the PIX, it seems that your internal DHCP is broadcasting traffic out, vice-versa to a outside address?

I'd suggest that you consider upgrading the PIX IOS to the latest - IOS 6.3.1

Thanks --

gordons · ‎07-24-2003

This PIX does not have any static entries.

txpix001# sh conn

61 in use, 963 remain, 84 most used

txpix001# sh conn detail

61 in use, 963 remain, 84 most used

I have a PIX 525, and am trying to get the powers-that-be to allow me to move the user-outbound traffic to that.

I will start the process of getting the latest IOS for it as well.

I agree that it looks as though our internal DHCP server is broadcasting outside. I don't recall seeing these entries in the past, so I am assuming, although perhaps erroneously, that they are not normal entries.