scangroup
asked on
How to monitor a Cisco 2600 router for somebody filling up our bandwidth
Hello,
ISP (Time Warner RoadRunner cable service) > ISP provided cable modem > into Cisco 2600 ethernet 0/0 > out of Cisco 2600 ethernet 0/1 > internal network.
Currently using Wisconsin Road-Runner cable modem with a 1.5 mbps connection.
Our internet connection will come to a crawl several times a day.
If I power off/on the Cisco 2600, bandwidth becomes full strength again.
It is as if, when I reboot, I am disconnecting anyone from outside the building who maybe using the bandwidth without permission, spyware, or whatever.
I am using the router to do NAT on about 20 ip addresses... ftp, web, remote ticketing system.
Alot of the IP addresses sit on 2 Windows NT 4.0 servers doing IIS (they are configured with multiple addresses) and have be swept for viruses and spyware.
I have addressed this issue with my ISP and they helped me prove it to myself that their equipment does not seem to be at fault. I have proven this by putting servers on the other side of the firewall and have not had any speed issues. The router has gotten so bad that most of the things that I want to protect have been moved to the public side.
I will clean up a config without ip addresses and post that next.
Thanks in advance
-scangroup
ISP (Time Warner RoadRunner cable service) > ISP provided cable modem > into Cisco 2600 ethernet 0/0 > out of Cisco 2600 ethernet 0/1 > internal network.
Currently using Wisconsin Road-Runner cable modem with a 1.5 mbps connection.
Our internet connection will come to a crawl several times a day.
If I power off/on the Cisco 2600, bandwidth becomes full strength again.
It is as if, when I reboot, I am disconnecting anyone from outside the building who maybe using the bandwidth without permission, spyware, or whatever.
I am using the router to do NAT on about 20 ip addresses... ftp, web, remote ticketing system.
Alot of the IP addresses sit on 2 Windows NT 4.0 servers doing IIS (they are configured with multiple addresses) and have be swept for viruses and spyware.
I have addressed this issue with my ISP and they helped me prove it to myself that their equipment does not seem to be at fault. I have proven this by putting servers on the other side of the firewall and have not had any speed issues. The router has gotten so bad that most of the things that I want to protect have been moved to the public side.
I will clean up a config without ip addresses and post that next.
Thanks in advance
-scangroup
have you done a
show ip nat translations
to see if you can see what is happening?
-red
show ip nat translations
to see if you can see what is happening?
-red
ASKER
red
here is what I see when I do a show ip nat translation.
I am not real sure what i am lokking for?
I know the inside addresses
I know what ports I have open and do see translations on other ports?
Would not know the outside addresses,...... people hitting web sites, some of which have ftp stuff.
10.1.1.1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.34:58647 10.1.1.190:58647 207.89.253.47:110 207.89.253.47:110
tcp xx.xxx.xx.34:49824 10.1.1.145:49824 208.185.101.168:80 208.185.101.168:80
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2234 24.238.226.74:2234
tcp xx.xxx.xx.34:52658 10.1.1.206:52658 207.89.253.47:110 207.89.253.47:110
udp xx.xxx.xx.34:49152 10.1.1.116:49152 204. 29.202.6:53 204.29.202.6:53
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2553 24.238.226.74:2553
tcp xx.xxx.xx.34:49810 10.1.1.145:49810 64.156.132.140:80 64.156.132.140:80
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2514 24.238.226.74:2514
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2502 24.238.226.74:2502
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2464 24.238.226.74:2464
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2679 24.238.226.74:2679
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2666 24.238.226.74:2666
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2615 24.238.226.74:2615
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2608 24.238.226.74:2608
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2567 24.238.226.74:2567
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2809 24.238.226.74:2809
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2801 24.238.226.74:2801
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2744 24.238.226.74:2744
tcp xx.xxx.xx.40:1418 10.1.1.10:1418 --- ---
tcp xx.xxx.xx.40:1419 10.1.1.10:1419 --- ---
tcp xx.xxx.xx.40:1417 10.1.1.10:1417 --- ---
tcp xx.xxx.xx.40:1420 10.1.1.10:1420 --- ---
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2734 24.238.226.74:2734
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4779 24.238.226.74:4779
tcp xx.xxx.xx.39:1433 10.1.1.9:1433 --- ---
tcp xx.xxx.xx.43:1433 10.1.1.13:1433 --- ---
tcp xx.xxx.xx.42:1433 10.1.1.12:1433 --- ---
tcp xx.xxx.xx.41:1433 10.1.1.11:1433 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4768 24.238.226.74:4768
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2941 24.238.226.74:2941
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2926 24.238.226.74:2926
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2875 24.238.226.74:2875
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2859 24.238.226.74:2859
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3044 24.238.226.74:3044
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3034 24.238.226.74:3034
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2994 24.238.226.74:2994
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2984 24.238.226.74:2984
tcp xx.xxx.xx.34:49817 10.1.1.145:49817 216.73.86.23:80 216.73.86.23:80
udp xx.xxx.xx.34:3752 10.1.1.41:3752 24.94.165.130:53 24.94.165.130:53
tcp xx.xxx.xx.53:50000 10.1.1.3:50000 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3168 24.238.226.74:3168
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3157 24.238.226.74:3157
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3115 24.238.226.74:3115
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3101 24.238.226.74:3101
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:1040 24.238.226.74:1040
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3316 24.238.226.74:3316
tcp xx.xxx.xx.34:49809 10.1.1.145:49809 192.25.225.30:80 192.25.225.30:80
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3237 24.238.226.74:3237
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3225 24.238.226.74:3225
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3454 24.238.226.74:3454
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3442 24.238.226.74:3442
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3395 24.238.226.74:3395
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3388 24.238.226.74:3388
tcp xx.xxx.xx.34:4832 10.1.1.41:4832 24.28.200.147:110 24.28.200.147:110
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3340 24.238.226.74:3340
tcp xx.xxx.xx.34:49194 10.1.1.46:49194 207.89.253.47:110 207.89.253.47:110
tcp xx.xxx.xx.34:49195 10.1.1.46:49195 207.89.253.47:110 207.89.253.47:110
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3573 24.238.226.74:3573
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3563 24.238.226.74:3563
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3525 24.238.226.74:3525
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3517 24.238.226.74:3517
tcp xx.xxx.xx.53:80 10.1.1.3:80 209.83.100.194:57209 209.83.100.194:57
209
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3689 24.238.226.74:3689
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3683 24.238.226.74:3683
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3634 24.238.226.74:3634
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3629 24.238.226.74:3629
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3838 24.238.226.74:3838
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3817 24.238.226.74:3817
udp xx.xxx.xx.34:49757 10.1.1.145:49757 24.160.227.32:53 24.160.227.32:53
udp xx.xxx.xx.34:49756 10.1.1.145:49756 24.160.227.33:53 24.160.227.33:53
udp xx.xxx.xx.34:49753 10.1.1.145:49753 24.160.227.32:53 24.160.227.32:53
udp xx.xxx.xx.34:49755 10.1.1.145:49755 24.160.227.32:53 24.160.227.32:53
udp xx.xxx.xx.34:49754 10.1.1.145:49754 24.160.227.32:53 24.160.227.32:53
tcp xx.xxx.xx.34:49816 10.1.1.145:49816 65.169.170.149:80 65.169.170.149:80
udp xx.xxx.xx.34:49174 10.1.1.116:49174 17.254.0.31:123 17.254.0.31:123
udp xx.xxx.xx.34:49173 10.1.1.116:49173 17.254.0.31:123 17.254.0.31:123
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3758 24.238.226.74:3758
udp xx.xxx.xx.40:407 10.1.1.10:407 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3747 24.238.226.74:3747
tcp xx.xxx.xx.37:443 10.1.1.7:443 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3963 24.238.226.74:3963
tcp xx.xxx.xx.49:80 10.1.1.150:80 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3953 24.238.226.74:3953
tcp xx.xxx.xx.52:80 10.1.1.151:80 --- ---
tcp xx.xxx.xx.53:80 10.1.1.3:80 --- ---
tcp xx.xxx.xx.42:80 10.1.1.12:80 --- ---
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.43:80 10.1.1.13:80 --- ---
tcp xx.xxx.xx.40:80 10.1.1.10:80 --- ---
tcp xx.xxx.xx.41:80 10.1.1.11:80 --- ---
tcp xx.xxx.xx.46:80 10.1.1.16:80 --- ---
tcp xx.xxx.xx.35:80 10.1.1.5:80 --- ---
tcp xx.xxx.xx.39:80 10.1.1.9:80 --- ---
tcp xx.xxx.xx.37:80 10.1.1.7:80 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3900 24.238.226.74:3900
tcp xx.xxx.xx.54:21 10.1.1.4:21 --- ---
tcp xx.xxx.xx.53:21 10.1.1.3:21 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3891 24.238.226.74:3891
tcp xx.xxx.xx.49:21 10.1.1.150:21 --- ---
tcp xx.xxx.xx.40:21 10.1.1.10:21 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4094 24.238.226.74:4094
tcp xx.xxx.xx.34:4831 10.1.1.41:4831 207.89.253.47:110 207.89.253.47:110
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4077 24.238.226.74:4077
udp xx.xxx.xx.34:49152 10.1.1.116:49152 169.207.1.3:53 169.207.1.3:53
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4033 24.238.226.74:4033
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4022 24.238.226.74:4022
udp xx.xxx.xx.34:54595 10.1.1.206:54595 24.94.165.131:53 24.94.165.131:53
udp xx.xxx.xx.34:54594 10.1.1.206:54594 24.94.165.130:53 24.94.165.130:53
udp xx.xxx.xx.34:54597 10.1.1.206:54597 24.94.165.130:53 24.94.165.130:53
Pro Inside global Inside local Outside local Outside global
udp xx.xxx.xx.34:54596 10.1.1.206:54596 24.94.165.130:53 24.94.165.130:53
udp xx.xxx.xx.34:54599 10.1.1.206:54599 24.94.165.130:53 24.94.165.130:53
udp xx.xxx.xx.34:54598 10.1.1.206:54598 24.94.165.130:53 24.94.165.130:53
udp xx.xxx.xx.34:54600 10.1.1.206:54600 24.94.165.130:53 24.94.165.130:53
tcp xx.xxx.xx.34:49831 10.1.1.145:49831 207.89.253.47:110 207.89.253.47:110
10.1.1.1#
here is what I see when I do a show ip nat translation.
I am not real sure what i am lokking for?
I know the inside addresses
I know what ports I have open and do see translations on other ports?
Would not know the outside addresses,...... people hitting web sites, some of which have ftp stuff.
10.1.1.1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.34:58647 10.1.1.190:58647 207.89.253.47:110 207.89.253.47:110
tcp xx.xxx.xx.34:49824 10.1.1.145:49824 208.185.101.168:80 208.185.101.168:80
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2234 24.238.226.74:2234
tcp xx.xxx.xx.34:52658 10.1.1.206:52658 207.89.253.47:110 207.89.253.47:110
udp xx.xxx.xx.34:49152 10.1.1.116:49152 204. 29.202.6:53 204.29.202.6:53
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2553 24.238.226.74:2553
tcp xx.xxx.xx.34:49810 10.1.1.145:49810 64.156.132.140:80 64.156.132.140:80
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2514 24.238.226.74:2514
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2502 24.238.226.74:2502
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2464 24.238.226.74:2464
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2679 24.238.226.74:2679
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2666 24.238.226.74:2666
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2615 24.238.226.74:2615
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2608 24.238.226.74:2608
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2567 24.238.226.74:2567
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2809 24.238.226.74:2809
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2801 24.238.226.74:2801
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2744 24.238.226.74:2744
tcp xx.xxx.xx.40:1418 10.1.1.10:1418 --- ---
tcp xx.xxx.xx.40:1419 10.1.1.10:1419 --- ---
tcp xx.xxx.xx.40:1417 10.1.1.10:1417 --- ---
tcp xx.xxx.xx.40:1420 10.1.1.10:1420 --- ---
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2734 24.238.226.74:2734
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4779 24.238.226.74:4779
tcp xx.xxx.xx.39:1433 10.1.1.9:1433 --- ---
tcp xx.xxx.xx.43:1433 10.1.1.13:1433 --- ---
tcp xx.xxx.xx.42:1433 10.1.1.12:1433 --- ---
tcp xx.xxx.xx.41:1433 10.1.1.11:1433 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4768 24.238.226.74:4768
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2941 24.238.226.74:2941
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2926 24.238.226.74:2926
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2875 24.238.226.74:2875
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2859 24.238.226.74:2859
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3044 24.238.226.74:3044
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3034 24.238.226.74:3034
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2994 24.238.226.74:2994
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:2984 24.238.226.74:2984
tcp xx.xxx.xx.34:49817 10.1.1.145:49817 216.73.86.23:80 216.73.86.23:80
udp xx.xxx.xx.34:3752 10.1.1.41:3752 24.94.165.130:53 24.94.165.130:53
tcp xx.xxx.xx.53:50000 10.1.1.3:50000 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3168 24.238.226.74:3168
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3157 24.238.226.74:3157
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3115 24.238.226.74:3115
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3101 24.238.226.74:3101
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:1040 24.238.226.74:1040
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3316 24.238.226.74:3316
tcp xx.xxx.xx.34:49809 10.1.1.145:49809 192.25.225.30:80 192.25.225.30:80
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3237 24.238.226.74:3237
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3225 24.238.226.74:3225
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3454 24.238.226.74:3454
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3442 24.238.226.74:3442
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3395 24.238.226.74:3395
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3388 24.238.226.74:3388
tcp xx.xxx.xx.34:4832 10.1.1.41:4832 24.28.200.147:110 24.28.200.147:110
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3340 24.238.226.74:3340
tcp xx.xxx.xx.34:49194 10.1.1.46:49194 207.89.253.47:110 207.89.253.47:110
tcp xx.xxx.xx.34:49195 10.1.1.46:49195 207.89.253.47:110 207.89.253.47:110
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3573 24.238.226.74:3573
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3563 24.238.226.74:3563
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3525 24.238.226.74:3525
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3517 24.238.226.74:3517
tcp xx.xxx.xx.53:80 10.1.1.3:80 209.83.100.194:57209 209.83.100.194:57
209
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3689 24.238.226.74:3689
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3683 24.238.226.74:3683
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3634 24.238.226.74:3634
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3629 24.238.226.74:3629
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3838 24.238.226.74:3838
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3817 24.238.226.74:3817
udp xx.xxx.xx.34:49757 10.1.1.145:49757 24.160.227.32:53 24.160.227.32:53
udp xx.xxx.xx.34:49756 10.1.1.145:49756 24.160.227.33:53 24.160.227.33:53
udp xx.xxx.xx.34:49753 10.1.1.145:49753 24.160.227.32:53 24.160.227.32:53
udp xx.xxx.xx.34:49755 10.1.1.145:49755 24.160.227.32:53 24.160.227.32:53
udp xx.xxx.xx.34:49754 10.1.1.145:49754 24.160.227.32:53 24.160.227.32:53
tcp xx.xxx.xx.34:49816 10.1.1.145:49816 65.169.170.149:80 65.169.170.149:80
udp xx.xxx.xx.34:49174 10.1.1.116:49174 17.254.0.31:123 17.254.0.31:123
udp xx.xxx.xx.34:49173 10.1.1.116:49173 17.254.0.31:123 17.254.0.31:123
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3758 24.238.226.74:3758
udp xx.xxx.xx.40:407 10.1.1.10:407 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3747 24.238.226.74:3747
tcp xx.xxx.xx.37:443 10.1.1.7:443 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3963 24.238.226.74:3963
tcp xx.xxx.xx.49:80 10.1.1.150:80 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3953 24.238.226.74:3953
tcp xx.xxx.xx.52:80 10.1.1.151:80 --- ---
tcp xx.xxx.xx.53:80 10.1.1.3:80 --- ---
tcp xx.xxx.xx.42:80 10.1.1.12:80 --- ---
Pro Inside global Inside local Outside local Outside global
tcp xx.xxx.xx.43:80 10.1.1.13:80 --- ---
tcp xx.xxx.xx.40:80 10.1.1.10:80 --- ---
tcp xx.xxx.xx.41:80 10.1.1.11:80 --- ---
tcp xx.xxx.xx.46:80 10.1.1.16:80 --- ---
tcp xx.xxx.xx.35:80 10.1.1.5:80 --- ---
tcp xx.xxx.xx.39:80 10.1.1.9:80 --- ---
tcp xx.xxx.xx.37:80 10.1.1.7:80 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3900 24.238.226.74:3900
tcp xx.xxx.xx.54:21 10.1.1.4:21 --- ---
tcp xx.xxx.xx.53:21 10.1.1.3:21 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:3891 24.238.226.74:3891
tcp xx.xxx.xx.49:21 10.1.1.150:21 --- ---
tcp xx.xxx.xx.40:21 10.1.1.10:21 --- ---
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4094 24.238.226.74:4094
tcp xx.xxx.xx.34:4831 10.1.1.41:4831 207.89.253.47:110 207.89.253.47:110
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4077 24.238.226.74:4077
udp xx.xxx.xx.34:49152 10.1.1.116:49152 169.207.1.3:53 169.207.1.3:53
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4033 24.238.226.74:4033
tcp xx.xxx.xx.40:1433 10.1.1.10:1433 24.238.226.74:4022 24.238.226.74:4022
udp xx.xxx.xx.34:54595 10.1.1.206:54595 24.94.165.131:53 24.94.165.131:53
udp xx.xxx.xx.34:54594 10.1.1.206:54594 24.94.165.130:53 24.94.165.130:53
udp xx.xxx.xx.34:54597 10.1.1.206:54597 24.94.165.130:53 24.94.165.130:53
Pro Inside global Inside local Outside local Outside global
udp xx.xxx.xx.34:54596 10.1.1.206:54596 24.94.165.130:53 24.94.165.130:53
udp xx.xxx.xx.34:54599 10.1.1.206:54599 24.94.165.130:53 24.94.165.130:53
udp xx.xxx.xx.34:54598 10.1.1.206:54598 24.94.165.130:53 24.94.165.130:53
udp xx.xxx.xx.34:54600 10.1.1.206:54600 24.94.165.130:53 24.94.165.130:53
tcp xx.xxx.xx.34:49831 10.1.1.145:49831 207.89.253.47:110 207.89.253.47:110
10.1.1.1#
ASKER
Some know it all came by and turned on logging.
Never saw him again.
Here is what I see when I do a show log, it looks like there is stuff going on but do not know how to read it.
10.1.1.1#show log
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level errors, 3 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level informational, 9 messages logged
Trap logging: level informational, 13 message lines logged
Log Buffer (4096 bytes):
00:00:09: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:00:09: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
00:00:09: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:00:10: %SYS-5-CONFIG_I: Configured from memory by console
00:00:10: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.0(1)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Wed 04-Nov-98 20:11 by dschwart
00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed s
tate to up
00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed s
tate to up
00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed sta
te to down
00:00:11: %LINK-5-CHANGED: Interface Serial0/0, changed state to administrativel
y down
Never saw him again.
Here is what I see when I do a show log, it looks like there is stuff going on but do not know how to read it.
10.1.1.1#show log
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level errors, 3 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level informational, 9 messages logged
Trap logging: level informational, 13 message lines logged
Log Buffer (4096 bytes):
00:00:09: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:00:09: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
00:00:09: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:00:10: %SYS-5-CONFIG_I: Configured from memory by console
00:00:10: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.0(1)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Wed 04-Nov-98 20:11 by dschwart
00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed s
tate to up
00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed s
tate to up
00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed sta
te to down
00:00:11: %LINK-5-CHANGED: Interface Serial0/0, changed state to administrativel
y down
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>"ip nat inside source static tcp 10.1.1.10 1433 xx.xxx.xx.40 1433 extendable"
It seems that you have a SQL server running at 10.1.1.10 (TCP 1433 open), do you have your SQL server password set for 'sa'? as red indicated that SQL attach has been around for years.
24.238.226.74 belongs to earthlink, it seems a dynamic IP or a dial up account, very likely an attacker or worm victim.
you can also enable ip accounting to find out top users or possible attack to your network.
It seems that you have a SQL server running at 10.1.1.10 (TCP 1433 open), do you have your SQL server password set for 'sa'? as red indicated that SQL attach has been around for years.
24.238.226.74 belongs to earthlink, it seems a dynamic IP or a dial up account, very likely an attacker or worm victim.
you can also enable ip accounting to find out top users or possible attack to your network.
ASKER
red and magic
I think you are on to something with the 1433
How do I turn on ip accounting
thanks
I think you are on to something with the 1433
How do I turn on ip accounting
thanks
are you running SQL at all? do you need this port open?
if yes, then you can make an access list denying the range that the 'attacker' comes from
if no, close the port
if yes, then you can make an access list denying the range that the 'attacker' comes from
if no, close the port
ASKER
10.1.1.1>ena
Password:
10.1.1.1#show run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 10.1.1.1
!
logging buffered 4096 informational
logging console errors
enable password xxxxx
!
ip subnet-zero
ip domain-name clientname.net
ip name-server 24.160.227.32
ip name-server 24.160.227.33
!
!
!
!
interface Ethernet0/0
ip address xx.xxxx.xx.34 255.255.255.224
no ip directed-broadcast
ip nat outside
!
interface Serial0/0
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet0/1
ip address 10.1.1.1 255.0.0.0
no ip directed-broadcast
ip nat inside
!
ip default-gateway xx.xxx.xx.33
ip nat translation max-entries 256
ip nat inside source list 2 interface Ethernet0/0 overload
ip nat inside source static tcp 10.1.1.151 80 xx.xxx.xx.52 80 extendable
ip nat inside source static tcp 10.1.1.150 80 xx.xxx.xx.49 80 extendable
ip nat inside source static tcp 10.1.1.150 21 xx.xxx.xx.49 21 extendable
ip nat inside source static tcp 10.1.1.16 80 xx.xxx.xx.46 80 extendable
ip nat inside source static tcp 10.1.1.13 1433 xx.xxx.xx.43 1433 extendable
ip nat inside source static tcp 10.1.1.13 80 xx.xxx.xx.43 80 extendable
ip nat inside source static tcp 10.1.1.12 1433 xx.xxx.xx.42 1433 extendable
ip nat inside source static tcp 10.1.1.12 80 xx.xxx.xx.42 80 extendable
ip nat inside source static tcp 10.1.1.11 1433 xx.xxx.xx.41 1433 extendable
ip nat inside source static tcp 10.1.1.11 80 xx.xxx.xx.41 80 extendable
ip nat inside source static tcp 10.1.1.10 1433 xx.xxx.xx.40 1433 extendable
ip nat inside source static tcp 10.1.1.10 1420 xx.xxx.xx.40 1420 extendable
ip nat inside source static tcp 10.1.1.10 1419 xx.xxx.xx.40 1419 extendable
ip nat inside source static tcp 10.1.1.10 1418 xx.xxx.xx.40 1418 extendable
ip nat inside source static tcp 10.1.1.10 1417 xx.xxx.xx.40 1417 extendable
ip nat inside source static udp 10.1.1.10 407 xx.xxx.xx.40 407 extendable
ip nat inside source static tcp 10.1.1.10 80 xx.xxx.xx.40 80 extendable
ip nat inside source static tcp 10.1.1.10 21 xx.xxx.xx.40 21 extendable
ip nat inside source static tcp 10.1.1.9 1433 xx.xxx.xx.39 1433 extendable
ip nat inside source static tcp 10.1.1.9 80 xx.xxx.xx.39 80 extendable
ip nat inside source static tcp 10.1.1.7 443 xx.xxx.xx.37 443 extendable
ip nat inside source static tcp 10.1.1.7 80 xx.xxx.xx.37 80 extendable
ip nat inside source static tcp 10.1.1.5 80 xx.xxx.xx.35 80 extendable
ip nat inside source static tcp 10.1.1.4 21 xx.xxx.xx.54 21 extendable
ip nat inside source static tcp 10.1.1.3 50000 xx.xxx.xx.53 50000 extendable
ip nat inside source static tcp 10.1.1.3 80 xx.xxx.xx.53 80 extendable
ip nat inside source static tcp 10.1.1.3 21 xx.xxx.xx.53 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.xx.33
!
!
map-list ethernet
access-list 2 permit 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
no scheduler allocate
end
10.1.1.1#