Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIX Log Interpretation Help

from [Dan Bogda] Network Security [Permanent Link]
Subject: RE: PIX Log Interpretation Help
Date: Tue, 27 Jun 2006 17:45:32 -0700 
Robert,
Your PIX is doing it's job. Those messages indicate that it denied a new
connection due to the "inbound" ACL. Port 21100, 14135 and 7589 are most
likely your server's source ports when it connects to the external SMTP
server. For some reason it looks like the external server is trying to
connect back and getting denied. It could be valid traffic getting
denied or invalid traffic justly getting denied. Does the connection
work and just generates noise?

The PIX does not allow an inbound connection unless it is part of a
previously established session. You should check whether you have the
SMTP fixup turned on. The SMTP fixup monitors the control commands and
automatically opens additional ports as necessary during an SMTP
connection. 

To check if it is enabled use the following command: "show run | grep
fixup" and look for SMTP. If it's missing, add this command and test the
connection: "fixup protocol SMTP 25". 

Conversely, the fixup could also be the problem. If it is enabled you
can try: "no fixup protocol SMTP 25" and test.

Good luck, and be careful. Make sure to backup your configuration before
making any changes. These commands can break your existing SMTP
connectivity so use them at your own risk. Typically the fixup fixes or
causes the issue, sometimes it is something else. Try that first and let
us know if you don't see any change.

Hope that helps,
Dan

-----Original Message-----
From: Robert McIntosh [mailto:mcintoshrt@gmail.com] 
Sent: Tuesday, June 27, 2006 2:54 PM
To: firewalls@securityfocus.com
Subject: PIX Log Interpretation Help

Hello,
I've been observing some log activity on my PIX 501 firewall that I'd
like some interpretation help with.

During an smtp transaction, the PIX will record the following deny
transactions (IPs = x to protect the parties):

Jun 26 15:21:06 10.0.0.6 %PIX-4-106023: Deny tcp src
outside:xxx.xxx.xxx.xxx/25 dst inside:xxx.xxx.xxx.xxx/21100 by
access-group "inbound"
Jun 26 15:21:09 10.0.0.6 %PIX-4-106023: Deny tcp src
outside:xxx.xxx.xxx.xxx/25 dst inside:xxx.xxx.xxx.xxx/21100 by
access-group "inbound"

I don't understand why the external mail host would be trying to
connect on port 21100 on our firewall.  Also, it is not specific to
port 21100 - sometimes it's on port 7598, sometimes 14135...it appears
to be random.

I'd appreciate any ideas on this one.

Many thanks,
Robert
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: firewall newbie : how to start (create) a policy, Upadhyaya, Vijay
Next by Date:  SyScan'06 Highlight - Is Phone Banking Safe?, thomas48
Previous by Thread:  Re: PIX Log Interpretation Help, Chris Brenton
Next by Thread:  RE: PIX Log Interpretation Help, Navroz Shariff
Indexes:  [Date] [Thread] [Top] [All Lists]