Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to kill open sessions on PIX

Status
Not open for further replies.
Tekmazter

Tekmazter

IS-IT--Management
Mar 26, 2002
164
US
Hello everyone,

Sorta new here to the command portion of the PIX 515E. I know how to show open active connections from the command line, but how do you kill a connection? For example...

I run the following:

show conn protocol tcp

...I get my output and want to kill off a connection to a particular host that is going out over the web.

What would be the command I use for that?
 
Sort by date Sort by votes
thanks for that reply...

building upon that, I am now trying to checkout packets inbound and outbound on ports 5190 (AOL), 5050 (Yahoo), and MSN. I have created an access-list for 'permitting' a particular host to connect outbound to 'any' or "0.0.0.0". I have even tried to set an access rule for it to the particular host I see an existing connction to in 'show conn'

However, when I create my capture rule:

"capture aol access-list inside_access_in ethernet-type 5190 interface inside" (I have also tried it with 'interface outside')


...I don't seem to be catching the packets. I just get "0 packet catured", "0 packet shown". I have a feeling that I might not have my access rule setup correctly but I am not sure.
 
Upvote 0 Downvote
Post your access-lists also do a sh access-list ACLNAME on your pix to make sure they are getting hit.
 
Upvote 0 Downvote
For the connection I wish to capture:


access-list inside_access_in line 1 permit tcp host DCorwin host 64.12.25.132 (hitcnt=0)

Basically this ACL was set to allow ALL Outgoing from this host and was put in place so I would then be able to use capture to monitor port 5190 etc...

using show conn I see the following:

TCP out 64.12.25.132:5190 in DCorwin:1164 idle 0:01:44 Bytes 78340 flags UIO

Any help would be much appreciated!
 
Upvote 0 Downvote
and here's my capture rules:

capture aol access-list inside_access_in ethernet-type 5190 interface outside
capture aol2 access-list inside_access_in ethernet-type 5190 interface inside

As you can see, I am trying on both int's. Again, I'm a total NOOB with PIX so go easy on me :)

 
Upvote 0 Downvote
Ok it looks like your ACL is not getting hit. Thats what this means: (hitcnt=0) You probably have another ACL letting the traffic pass through or the traffic is not using tcp. Look at your access-list from top to bottom and see where the hitcounts are going to. If you post them it would be much easier.
 
Upvote 0 Downvote
Will do... and thankx for that bit on the (hitcnt=0)... wasn't sure what that part of it meant and it looks like that would explain a lot in this case.

I'll post back...
 
Upvote 0 Downvote
Okay, I've made some progress here, but in the process managed to overload my PIX by what appears doing a capture on all traffic and when trying to dump it, had to kill the connection.

Anyway, I have been noticing some things on my access-lists..

If I use the PDM to create a rule, it automatically calls the ruleset

inside_access_in line 1
inside_access_in line 2 and so on...

I don't appear to have the ability to create rule using any name other than this. So, when I create say a rule from the CLI and call it yahoo or something like that, it automatically places it on the last line. Enough about that though:

Would the following capture command work for traffic on only port 5050 using the following ACL?

ACL
access-list inside_access_in line 1 permit ip host 10.100.2.100 any

CAPTURE
capture yahoo access-list inside_access_in ethernet-type 5050 interface inside

I tried this before but it appears it shows all connectivity on the on this particular host and not just port 5050 packets. BTW --the hitcnt on this is definitely moving up wiht every bit of internet usage this host attempts.

Thoughts?
 
Upvote 0 Downvote
Try it like this:


access-list inside_access_in permit tcp host 10.100.2.100 any eq 5050
capture yahoo access-list inside_access_in interface inside

Not to sure but I think the access-list doesnt have to be applied to an interface. Because you are defining IP in your access-list you are most likely going to pick up everything. If you define what you want in your ACL you should be good. If you still wanted 5190 jsut add an additional ACL for that port either tcp or udp.
 
Upvote 0 Downvote
Okay, the ACL works correctly it seems, however in order to get the ACL to the top of my list, I needed to specify 'line 1' which does indeed place it at the top.

I setup the capture as well, but there doesn't appear to be a way to specify which ACL for 'inside_access_in' that I want to capture, so it captures every ACL under'inside_access_in' --which is quite the dump.

So, it's working but I just need to figure out how to fine tune the capture to see information from only the 'line 1' ACL and not any others

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
305
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
809
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
770
nnaarrnn
nnaarrnn
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
314
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top