Monday, January 26, 2009

firewall-wizards Digest, Vol 33, Issue 8

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Interface Errors on a Cisco ASA 5520 (Morrow Long)
2. Re: ASA 8.0(4) -- Privilege Level to Create Users (Todd Simons)
3. Re: Interface Errors on a Cisco ASA 5520 (Christopher J. Wargaski)


----------------------------------------------------------------------

Message: 1
Date: Mon, 19 Jan 2009 12:11:40 -0500
From: Morrow Long <morrow.long@yale.edu>
Subject: Re: [fw-wiz] Interface Errors on a Cisco ASA 5520
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <3EC21CCC-E93C-4C66-914C-36F72C6B27C6@yale.edu>
Content-Type: text/plain; charset="us-ascii"; Format="flowed";
DelSp="yes"

What are you seeing for entries in the logs on the ASA's syslog
server(s)?

Under a high input pkt rate, if the ASA rules are deny'ing many pits
AND it is syslogging each deny - particularly if it has multiple
syslog servers - could put an ASA under stress.


Sent from my iPhone

On Jan 16, 2009, at 3:22 PM, David Blahut <dablahut@vassar.edu> wrote:

> All the interface counters on the 2970 are holding steady at zero.
>
> *****snip*****
>
> Interface GigabitEthernet0/0 "outside", is up, line protocol is up
> Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
> Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
> MAC address 0019.e8d9.65d6, MTU 1500
> IP address 10.0.2.254, subnet mask 255.255.255.0
> 75470149 packets input, 85638459632 bytes, 36635 no buffer
> Received 0 broadcasts, 0 runts, 0 giants
> 32081 input errors, 0 CRC, 0 frame, 32081 overrun, 0
> ignored, 0 abort
> 0 L2 decode drops
> 54815945 packets output, 14582208506 bytes, 0 underruns
> 0 output errors, 0 collisions, 0 interface resets
> 0 late collisions, 0 deferred
> 0 input reset drops, 0 output reset drops
> input queue (curr/max packets): hardware (0/33) software (0/0)
> output queue (curr/max packets): hardware (0/45) software
> (0/0)
> Traffic Statistics for "outside":
> 75456180 packets input, 84247395544 bytes
> 54815945 packets output, 13513354970 bytes
> 1229667 packets dropped
> 1 minute input rate 3482 pkts/sec, 3765959 bytes/sec
> 1 minute output rate 2563 pkts/sec, 615114 bytes/sec
> 1 minute drop rate, 48 pkts/sec
> 5 minute input rate 3173 pkts/sec, 3494452 bytes/sec
> 5 minute output rate 2360 pkts/sec, 632499 bytes/sec
> 5 minute drop rate, 59 pkts/sec
> Interface GigabitEthernet0/1 "inside", is up, line protocol is up
> Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
> Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
> MAC address 0019.e8d9.65d7, MTU 1500
> IP address 10.0.1.1, subnet mask 255.255.255.0
> 53083032 packets input, 14467412251 bytes, 57 no buffer
> Received 24 broadcasts, 0 runts, 0 giants
> 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
> 0 L2 decode drops
> 78602459 packets output, 86261688947 bytes, 0 underruns
> 0 output errors, 0 collisions, 0 interface resets
> 0 late collisions, 0 deferred
> 0 input reset drops, 0 output reset drops
> input queue (curr/max packets): hardware (1/33) software (0/0)
> output queue (curr/max packets): hardware (0/232) software
> (0/0)
> Traffic Statistics for "inside":
> 53080231 packets input, 13433139678 bytes
> 78602459 packets output, 84817722165 bytes
> 105636 packets dropped
> 1 minute input rate 2464 pkts/sec, 593880 bytes/sec
> 1 minute output rate 3621 pkts/sec, 3820938 bytes/sec
> 1 minute drop rate, 6 pkts/sec
> 5 minute input rate 2266 pkts/sec, 523832 bytes/sec
> 5 minute output rate 3365 pkts/sec, 3565026 bytes/sec
> 5 minute drop rate, 9 pkts/sec
>
> ****snip****
>
> -d
>
> Christopher J. Wargaski wrote:
>>
>> David--
>>
>> Can you post a snipped of the interface statistics?
>>
>> Also, look at the interface statistics for the upstream and
>> downstream switch or router.
>>
>>
>> On Fri, Jan 16, 2009 at 11:15 AM, David Blahut
>> <dablahut@vassar.edu> wrote:
>> All-
>>
>> I just put into production a pair of Cisco ASA 5520s with a Cisco
>> 2970 switch between the two. I am seeing no buffer, input errors,
>> and overrun errors on the active outside and inside interfaces
>> (output is error free). I have all interfaces on the ASAs and the
>> switch hard coded to 1000Mbps and full duplex, TAC wasn't much help
>> and Google doesn't have much to offer on the subject. Given that
>> speed and duplex mismatch usually manifest itself as CRC and or
>> collisions this seems more like an input buffer size issue, but I
>> am not sure.
>>
>> By the way, the load is about 40Mbps right now and the error
>> counters seem to increase in burst (no increase since I first
>> checked it at about 9 this morning).
>>
>> Any ideas?
>>
>> Thanks,
>> David
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090119/de94749a/attachment-0001.html>

------------------------------

Message: 2
Date: Mon, 19 Jan 2009 14:49:38 -0500
From: "Todd Simons" <tsimons@delphi-tech.com>
Subject: Re: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<6BEB7C2F4C712045AA210FC242934F7506FD1CD8@NJ-EXCHANGE1.AD.dti>
Keywords: disclaimer
Content-Type: text/plain; charset="us-ascii"

Thanks Chris-

This works, and is a temporary workaround (until I can get AAA in).
...the jr admin knows we will be watching and auditing!!

~Todd

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Christopher J. Wargaski
Sent: Friday, January 16, 2009 11:19 AM
To: Firewall Wizards Security Mailing List
Cc: Todd Simons
Subject: Re: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users

Hey Todd--

Yes, there is. However, by giving the permission to someone to
add/modify users, they can modify their own privilege level. So this is
sort of a security through obscurity thing.

Try this:

privilege cmd level 5 mode exec command configure

privilege show level 5 mode configure command username

privilege cmd level 5 mode configure command configure

privilege cmd level 5 mode configure command username

privilege clear level 5 mode configure command username

privilege clear level 5 mode configure command configure

username jradmin password my-pass privilege 5

On Fri, Jan 16, 2009 at 8:35 AM, Todd Simons <tsimons@delphi-tech.com>
wrote:

Hello All

We have an ASA hosting connections for our Avaya VPN enabled IP phones.
I need to give access to a junior admin to create local user accounts on
the ASA. Is there a privilege level, or a custom level that I can
build to allow these commands to be entered by the jr admin without
giving him access to the whole ASA config:

username <username> password <password>

username <username> attributes

vpn-group-policy <GrpPolicyName>

service-type remote-access

Thanks,

~Todd


## Scanned by Delphi Technology, Inc. ##
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090119/370efeaf/attachment-0001.html>

------------------------------

Message: 3
Date: Thu, 22 Jan 2009 11:36:32 -0600
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] Interface Errors on a Cisco ASA 5520
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<17065120901220936pf7d86c7j20bb0f54e08bdfd2@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

David--

This looks like a hardware problem, the ASA is not able to buffer the
received traffic fast enough. What device is the upstream device sending the
data? I am thinking that you should be contacting Cisco at this point.


On Fri, Jan 16, 2009 at 2:22 PM, David Blahut <dablahut@vassar.edu> wrote:

> All the interface counters on the 2970 are holding steady at zero.
>
> *****snip*****
>
> Interface GigabitEthernet0/0 "outside", is up, line protocol is up
> Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
> Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
> MAC address 0019.e8d9.65d6, MTU 1500
> IP address 10.0.2.254, subnet mask 255.255.255.0
> 75470149 packets input, 85638459632 bytes, *36635 no buffer*
> Received 0 broadcasts, 0 runts, 0 giants
> *32081 input errors, 0 CRC, 0 frame, 32081 overrun, 0 ignored, 0
> abort*
> 0 L2 decode drops
> 54815945 packets output, 14582208506 bytes, 0 underruns
> 0 output errors, 0 collisions, 0 interface resets
> 0 late collisions, 0 deferred
> 0 input reset drops, 0 output reset drops
> input queue (curr/max packets): hardware (0/33) software (0/0)
> output queue (curr/max packets): hardware (0/45) software (0/0)
> Traffic Statistics for "outside":
> 75456180 packets input, 84247395544 bytes
> 54815945 packets output, 13513354970 bytes
> 1229667 packets dropped
> 1 minute input rate 3482 pkts/sec, 3765959 bytes/sec
> 1 minute output rate 2563 pkts/sec, 615114 bytes/sec
> 1 minute drop rate, 48 pkts/sec
> 5 minute input rate 3173 pkts/sec, 3494452 bytes/sec
> 5 minute output rate 2360 pkts/sec, 632499 bytes/sec
> 5 minute drop rate, 59 pkts/sec
>

cjw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090122/ee44c250/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 33, Issue 8
***********************************************

No comments:

Post a Comment