03-31-2003 12:17 AM - edited 03-09-2019 02:41 AM
pix syslog message
2003-03-31 15:30:21 Local4.Notice 192.168.253.253 %PIX-5-304001: 61.1.180.220 Accessed URL (my web site ip address ):/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I have follow the document on cisco web site
"Cisco − Using Network−Based Application Recognition and ACLs for Blocking the "Code Red" Worm "
and I have key the command on my 3660 router
but my pix firewall still receive this syslog message on above
DO I need to key other command ??
==========================================
my route map is
Router#show route-map
route-map null_policy_route, permit, sequence 10
Match clauses:
ip address (access-lists): 106
Set clauses:
interface Null0
Policy routing matches: 116 packets, 23968 bytes
=====================
my class-map is
class-map match-any coderedhttp-hacks
match protocol http url "*default.ida*"
match protocol http url "*x.ida*"
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "default.ida"
!
!
policy-map mark-inbound-http-hacks
class coderedhttp-hacks
set ip dscp 1
access-list 106 permit ip any any dscp 1
==================================
I feel sometimes the router match and drops packets,
but sometimes do not
why??
03-31-2003 08:02 PM
Your ACL is this:
> access-list 106 permit ip any any dscp 1
You've configured the router to set the DSCP bit in any HTTP packet that has "default.ida" in it, but then you go on and say "permit all those packets". Your ACL should be:
> access-list 106 deny ip any any dscp 1
> access-list 106 permit ip any any
Make sure you've applied the service-policy to the inbound interface, and that the ACL 106 is applied outbound on your inside interface.
Check out http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
04-04-2003 05:40 AM
I also have a problem with Code Red causing congestion problems in my DMZ. My servers are protected, but I'd like to cut it off at the router. I have a 3640 router
with 4 t-1's to 2 different Internet providers. From everything I have read concerning this policy map etc, is that you need CEF enabled on the router for this to work. Is that correct? Do all the Interfaces need CEF on them or can one be fast-switched?
04-07-2003 09:48 PM
Yes, for NBAR to work you need CEF enabled. CEF is enabled globally, so if an interface is configured for fast switching, then it'll be doing CEF. Only if you have the "no ip route-cache" command is the interface process switched.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide