• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 524
  • Last Modified:

How to monitor a Cisco 2600 router for somebody filling up our bandwidth

Hello,
ISP (Time Warner RoadRunner cable service)  >  ISP provided cable modem  >  into Cisco 2600 ethernet 0/0  >   out of  Cisco 2600 ethernet  0/1  >   internal network.
Currently using Wisconsin Road-Runner cable modem with a 1.5 mbps connection.
Our internet connection will come to a crawl several times a day.
If I power off/on the Cisco 2600, bandwidth becomes full strength again.
It is as if, when I reboot, I am disconnecting anyone from outside the building who maybe using the bandwidth without permission, spyware, or whatever.

I am using the router to do NAT on about 20 ip addresses... ftp, web, remote ticketing system.
Alot of  the IP addresses sit on 2 Windows NT 4.0 servers doing IIS (they are configured with multiple addresses) and have be swept for viruses and spyware.

I have addressed this issue with my ISP and they helped me prove it to myself that their equipment does not seem to be at fault. I have proven this by putting servers on the other side of the firewall and have not had any speed issues. The router has gotten so bad that most of the things that I want to protect have been moved to the public side.

I will clean up a config without ip addresses and post that next.

Thanks in advance

-scangroup
0
scangroup
Asked:
scangroup
  • 4
  • 3
1 Solution
 
scangroupAuthor Commented:


10.1.1.1>ena

Password:

10.1.1.1#show run

Building configuration...



Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 10.1.1.1

!

logging buffered 4096 informational

logging console errors

enable password xxxxx

!

ip subnet-zero

ip domain-name clientname.net

ip name-server 24.160.227.32

ip name-server 24.160.227.33

!

!

!

!

interface Ethernet0/0

 ip address xx.xxxx.xx.34 255.255.255.224

 no ip directed-broadcast

 ip nat outside

!

interface Serial0/0

 no ip address

 no ip directed-broadcast

 shutdown

!

interface Ethernet0/1

 ip address 10.1.1.1 255.0.0.0

 no ip directed-broadcast

 ip nat inside

!

ip default-gateway xx.xxx.xx.33

ip nat translation max-entries 256

ip nat inside source list 2 interface Ethernet0/0 overload

ip nat inside source static tcp 10.1.1.151 80 xx.xxx.xx.52 80 extendable

ip nat inside source static tcp 10.1.1.150 80 xx.xxx.xx.49 80 extendable

ip nat inside source static tcp 10.1.1.150 21 xx.xxx.xx.49 21 extendable

ip nat inside source static tcp 10.1.1.16 80 xx.xxx.xx.46 80 extendable

ip nat inside source static tcp 10.1.1.13 1433 xx.xxx.xx.43 1433 extendable

ip nat inside source static tcp 10.1.1.13 80 xx.xxx.xx.43 80 extendable

ip nat inside source static tcp 10.1.1.12 1433 xx.xxx.xx.42 1433 extendable

ip nat inside source static tcp 10.1.1.12 80 xx.xxx.xx.42 80 extendable

ip nat inside source static tcp 10.1.1.11 1433 xx.xxx.xx.41 1433 extendable

ip nat inside source static tcp 10.1.1.11 80 xx.xxx.xx.41 80 extendable

ip nat inside source static tcp 10.1.1.10 1433 xx.xxx.xx.40 1433 extendable

ip nat inside source static tcp 10.1.1.10 1420 xx.xxx.xx.40 1420 extendable

ip nat inside source static tcp 10.1.1.10 1419 xx.xxx.xx.40 1419 extendable

ip nat inside source static tcp 10.1.1.10 1418 xx.xxx.xx.40 1418 extendable

ip nat inside source static tcp 10.1.1.10 1417 xx.xxx.xx.40 1417 extendable

ip nat inside source static udp 10.1.1.10 407 xx.xxx.xx.40 407 extendable

ip nat inside source static tcp 10.1.1.10 80 xx.xxx.xx.40 80 extendable

ip nat inside source static tcp 10.1.1.10 21 xx.xxx.xx.40 21 extendable

ip nat inside source static tcp 10.1.1.9 1433 xx.xxx.xx.39 1433 extendable

ip nat inside source static tcp 10.1.1.9 80 xx.xxx.xx.39 80 extendable

ip nat inside source static tcp 10.1.1.7 443 xx.xxx.xx.37 443 extendable

ip nat inside source static tcp 10.1.1.7 80 xx.xxx.xx.37 80 extendable

ip nat inside source static tcp 10.1.1.5 80 xx.xxx.xx.35 80 extendable

ip nat inside source static tcp 10.1.1.4 21 xx.xxx.xx.54 21 extendable

ip nat inside source static tcp 10.1.1.3 50000 xx.xxx.xx.53 50000 extendable

ip nat inside source static tcp 10.1.1.3 80 xx.xxx.xx.53 80 extendable

ip nat inside source static tcp 10.1.1.3 21 xx.xxx.xx.53 21 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 xx.xxx.xx.33

!

!

map-list ethernet

access-list 2 permit 10.0.0.0 0.255.255.255

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

line con 0

 transport input none

line aux 0

line vty 0 4

 login

!

no scheduler allocate

end



10.1.1.1#
0
 
redseatechnologiesCommented:
have you done a

show ip nat translations

to see if you can see what is happening?

-red
0
 
scangroupAuthor Commented:
red

here is what I see when I do a show ip nat translation.
I am not real sure what i am lokking for?
I know the inside addresses
I know what ports I have open and do see translations on other ports?
Would not know the outside addresses,...... people hitting web sites, some of which have ftp stuff.

10.1.1.1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp xx.xxx.xx.34:58647 10.1.1.190:58647   207.89.253.47:110  207.89.253.47:110

tcp xx.xxx.xx.34:49824 10.1.1.145:49824   208.185.101.168:80 208.185.101.168:80

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2234 24.238.226.74:2234

tcp xx.xxx.xx.34:52658 10.1.1.206:52658   207.89.253.47:110  207.89.253.47:110

udp xx.xxx.xx.34:49152 10.1.1.116:49152   204. 29.202.6:53    204.29.202.6:53

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2553 24.238.226.74:2553

tcp xx.xxx.xx.34:49810 10.1.1.145:49810   64.156.132.140:80  64.156.132.140:80

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2514 24.238.226.74:2514

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2502 24.238.226.74:2502

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2464 24.238.226.74:2464

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2679 24.238.226.74:2679

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2666 24.238.226.74:2666

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2615 24.238.226.74:2615

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2608 24.238.226.74:2608

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2567 24.238.226.74:2567

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2809 24.238.226.74:2809

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2801 24.238.226.74:2801

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2744 24.238.226.74:2744

tcp xx.xxx.xx.40:1418  10.1.1.10:1418     ---                ---

tcp xx.xxx.xx.40:1419  10.1.1.10:1419     ---                ---

tcp xx.xxx.xx.40:1417  10.1.1.10:1417     ---                ---

tcp xx.xxx.xx.40:1420  10.1.1.10:1420     ---                ---

Pro Inside global      Inside local       Outside local      Outside global

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2734 24.238.226.74:2734

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:4779 24.238.226.74:4779

tcp xx.xxx.xx.39:1433  10.1.1.9:1433      ---                ---

tcp xx.xxx.xx.43:1433  10.1.1.13:1433     ---                ---

tcp xx.xxx.xx.42:1433  10.1.1.12:1433     ---                ---

tcp xx.xxx.xx.41:1433  10.1.1.11:1433     ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:4768 24.238.226.74:4768

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2941 24.238.226.74:2941

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2926 24.238.226.74:2926

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2875 24.238.226.74:2875

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2859 24.238.226.74:2859

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3044 24.238.226.74:3044

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3034 24.238.226.74:3034

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2994 24.238.226.74:2994

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:2984 24.238.226.74:2984

tcp xx.xxx.xx.34:49817 10.1.1.145:49817   216.73.86.23:80    216.73.86.23:80

udp xx.xxx.xx.34:3752  10.1.1.41:3752     24.94.165.130:53   24.94.165.130:53

tcp xx.xxx.xx.53:50000 10.1.1.3:50000     ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3168 24.238.226.74:3168

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3157 24.238.226.74:3157

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3115 24.238.226.74:3115

Pro Inside global      Inside local       Outside local      Outside global

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3101 24.238.226.74:3101

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:1040 24.238.226.74:1040

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3316 24.238.226.74:3316

tcp xx.xxx.xx.34:49809 10.1.1.145:49809   192.25.225.30:80   192.25.225.30:80

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3237 24.238.226.74:3237

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3225 24.238.226.74:3225

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3454 24.238.226.74:3454

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3442 24.238.226.74:3442

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3395 24.238.226.74:3395

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3388 24.238.226.74:3388

tcp xx.xxx.xx.34:4832  10.1.1.41:4832     24.28.200.147:110  24.28.200.147:110

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3340 24.238.226.74:3340

tcp xx.xxx.xx.34:49194 10.1.1.46:49194    207.89.253.47:110  207.89.253.47:110

tcp xx.xxx.xx.34:49195 10.1.1.46:49195    207.89.253.47:110  207.89.253.47:110

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3573 24.238.226.74:3573

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3563 24.238.226.74:3563

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3525 24.238.226.74:3525

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3517 24.238.226.74:3517

tcp xx.xxx.xx.53:80    10.1.1.3:80        209.83.100.194:57209 209.83.100.194:57

209

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3689 24.238.226.74:3689

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3683 24.238.226.74:3683

Pro Inside global      Inside local       Outside local      Outside global

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3634 24.238.226.74:3634

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3629 24.238.226.74:3629

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3838 24.238.226.74:3838

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3817 24.238.226.74:3817

udp xx.xxx.xx.34:49757 10.1.1.145:49757   24.160.227.32:53   24.160.227.32:53

udp xx.xxx.xx.34:49756 10.1.1.145:49756   24.160.227.33:53   24.160.227.33:53

udp xx.xxx.xx.34:49753 10.1.1.145:49753   24.160.227.32:53   24.160.227.32:53

udp xx.xxx.xx.34:49755 10.1.1.145:49755   24.160.227.32:53   24.160.227.32:53

udp xx.xxx.xx.34:49754 10.1.1.145:49754   24.160.227.32:53   24.160.227.32:53

tcp xx.xxx.xx.34:49816 10.1.1.145:49816   65.169.170.149:80  65.169.170.149:80

udp xx.xxx.xx.34:49174 10.1.1.116:49174   17.254.0.31:123    17.254.0.31:123

udp xx.xxx.xx.34:49173 10.1.1.116:49173   17.254.0.31:123    17.254.0.31:123

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3758 24.238.226.74:3758

udp xx.xxx.xx.40:407   10.1.1.10:407      ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3747 24.238.226.74:3747

tcp xx.xxx.xx.37:443   10.1.1.7:443       ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3963 24.238.226.74:3963

tcp xx.xxx.xx.49:80    10.1.1.150:80      ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3953 24.238.226.74:3953

tcp xx.xxx.xx.52:80    10.1.1.151:80      ---                ---

tcp xx.xxx.xx.53:80    10.1.1.3:80        ---                ---

tcp xx.xxx.xx.42:80    10.1.1.12:80       ---                ---

Pro Inside global      Inside local       Outside local      Outside global

tcp xx.xxx.xx.43:80    10.1.1.13:80       ---                ---

tcp xx.xxx.xx.40:80    10.1.1.10:80       ---                ---

tcp xx.xxx.xx.41:80    10.1.1.11:80       ---                ---

tcp xx.xxx.xx.46:80    10.1.1.16:80       ---                ---

tcp xx.xxx.xx.35:80    10.1.1.5:80        ---                ---

tcp xx.xxx.xx.39:80    10.1.1.9:80        ---                ---

tcp xx.xxx.xx.37:80    10.1.1.7:80        ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3900 24.238.226.74:3900

tcp xx.xxx.xx.54:21    10.1.1.4:21        ---                ---

tcp xx.xxx.xx.53:21    10.1.1.3:21        ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:3891 24.238.226.74:3891

tcp xx.xxx.xx.49:21    10.1.1.150:21      ---                ---

tcp xx.xxx.xx.40:21    10.1.1.10:21       ---                ---

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:4094 24.238.226.74:4094

tcp xx.xxx.xx.34:4831  10.1.1.41:4831     207.89.253.47:110  207.89.253.47:110

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:4077 24.238.226.74:4077

udp xx.xxx.xx.34:49152 10.1.1.116:49152   169.207.1.3:53     169.207.1.3:53

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:4033 24.238.226.74:4033

tcp xx.xxx.xx.40:1433  10.1.1.10:1433     24.238.226.74:4022 24.238.226.74:4022

udp xx.xxx.xx.34:54595 10.1.1.206:54595   24.94.165.131:53   24.94.165.131:53

udp xx.xxx.xx.34:54594 10.1.1.206:54594   24.94.165.130:53   24.94.165.130:53

udp xx.xxx.xx.34:54597 10.1.1.206:54597   24.94.165.130:53   24.94.165.130:53

Pro Inside global      Inside local       Outside local      Outside global

udp xx.xxx.xx.34:54596 10.1.1.206:54596   24.94.165.130:53   24.94.165.130:53

udp xx.xxx.xx.34:54599 10.1.1.206:54599   24.94.165.130:53   24.94.165.130:53

udp xx.xxx.xx.34:54598 10.1.1.206:54598   24.94.165.130:53   24.94.165.130:53

udp xx.xxx.xx.34:54600 10.1.1.206:54600   24.94.165.130:53   24.94.165.130:53

tcp xx.xxx.xx.34:49831 10.1.1.145:49831   207.89.253.47:110  207.89.253.47:110

10.1.1.1#
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
scangroupAuthor Commented:
Some know it all came by and turned on logging.
Never saw him again.
Here is what I see when I do a show log, it looks like there is stuff going on but do not know how to read it.

10.1.1.1#show log

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

    Console logging: level errors, 3 messages logged

    Monitor logging: level debugging, 0 messages logged

    Buffer logging: level informational, 9 messages logged

    Trap logging: level informational, 13 message lines logged



Log Buffer (4096 bytes):



00:00:09: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up

00:00:09: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up

00:00:09: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down

00:00:10: %SYS-5-CONFIG_I: Configured from memory by console

00:00:10: %SYS-5-RESTART: System restarted --

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-I-M), Version 12.0(1)T,  RELEASE SOFTWARE (fc2)

Copyright (c) 1986-1998 by cisco Systems, Inc.

Compiled Wed 04-Nov-98 20:11 by dschwart

00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed s

tate to up

00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed s

tate to up

00:00:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed sta

te to down

00:00:11: %LINK-5-CHANGED: Interface Serial0/0, changed state to administrativel

y down

0
 
redseatechnologiesCommented:
so this ip address 24.238.226.74 is unknown to you (therefore your "alledged" attacker)

tcp port 1433 is used by SQL server - which i am assuming you are running on 10.1.1.10

http://lists.sans.org/pipermail/list/2003-March/056126.html talks about denial of service attacks on 1433, but i am not sure if that is relevant

the only other things that seem to be going on is a lot of dns lookups, a few http calls, an ntp time call, and a couple of pop3 connections.

just so i know, you ARE running sql right?  if so, do you know (or can you tracert to to find out) who 24.238.226.74 is.  could it be a legitimate user of sql that is causing the traffic?

let me know what you find


-red
0
 
magicommincCommented:
>"ip nat inside source static tcp 10.1.1.10 1433 xx.xxx.xx.40 1433 extendable"
It seems that you have a SQL server running at 10.1.1.10 (TCP 1433 open), do you have your SQL server password set for 'sa'? as red indicated that SQL attach has been around for years.
24.238.226.74 belongs to earthlink, it seems a dynamic IP or a dial up account, very likely an attacker or worm victim.
you can also enable ip accounting to find out top users or possible attack to your network.
0
 
scangroupAuthor Commented:
red and magic

I think you are on to something with the 1433
How do I turn on ip accounting
thanks
0
 
redseatechnologiesCommented:
are you running SQL at all? do you need this port open?

if yes, then you can make an access list denying the range that the 'attacker' comes from

if no, close the port
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now