网络管理 : Cisco PIX 500 系列安全设备

通过 VPN 隧道使用 SNMP 和 Syslog 监控 Cisco 安全 PIX 防火墙

2016 年 10 月 24 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

Cisco Secure PIX 防火墙通常用在将 PIX 用作 IPSec VPN 终端设备的站点到站点 VPN 部署中。在简单的站点到站点设计或更复杂的星型设计中,人们有时希望居于中心站点的简单网络管理协议 (SNMP) 服务器和系统日志服务器监控所有PIX防火墙。

注意: 若要配置通过 VPN 隧道使用 SNMP 和 syslog 的 PIX 7.x,请参阅带 Syslog 的 PIX/ASA 7.x 配置示例

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco PIX 防火墙软件版本 6.3(3)

  • PIX 防火墙 520 和 515

  • 将 HPOV 6.1 作为 SNMP 和 Syslog 服务器运行的 Solaris 系统

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

有关如何使用 SNMP 来监视 Cisco Secure PIX 防火墙的一般信息,请参阅将 Cisco Secure PIX 防火墙用于 SNMP

有关如何在 Cisco Secure PIX 防火墙上设置 syslog 的一般信息,请参阅设置 PIX Syslog

以下是此示例配置的目标:

  • 对 10.99.99.x 与 172.18.124.x 网络间的数据进行加密。这包括 10.99.99.x 网络与 172.18.124.112 SNMP/syslog 服务器之间的 syslog 和 SNMP。

  • 能够让两个 PIX 都向 SNMP/syslog 服务器发送 syslog。

  • 能够向 SNMP/syslog 服务器发出 SNMP 查询,并从两个 PIX 向 SNMP/syslog 服务器发送陷阱。

配置

本示例配置展示如何通过现有的VPN隧道,使用SNMP和系统日志监控Cisco安全PIX防火墙。

网络图

本文档使用以下网络设置:

http://www.cisco.com/c/dam/en/us/support/docs/security/pix-500-series-security-appliances/4094-pix-vpn-4094a-1.gif

配置

本文档使用以下配置:

本地 PIX 防火墙 (PIX 520)
PIX Version 6.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password OnTrBUG1Tp0edmkr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-520b
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- This access control list (ACL) defines IPsec interesting traffic.
!--- This line covers traffic between the LAN segment behind two PIXes.
!--- It also includes the SNMP/syslog traffic between the SNMP/syslog server
!--- and the network devices located on the Ethernet segment behind the PIX 515.

access-list 101 permit ip 172.18.124.0 255.255.255.0 10.99.99.0 255.255.255.0

!--- These lines cover SNMP (TCP/UDP port - 161), SNMP TRAPS(TCP/UDP port - 162) and 
!--- syslog traffic (UDP port - 514) from SNMP/syslog server to the 
!--- outside interface of the remote PIX.
 
access-list 101 permit tcp host 172.18.124.112 host 192.168.1.2 eq 161
access-list 101 permit udp host 172.18.124.112 host 192.168.1.2 eq 161
access-list 101 permit tcp host 172.18.124.112 host 192.168.1.2 eq 162
access-list 101 permit udp host 172.18.124.112 host 192.168.1.2 eq 162
access-list 101 permit udp host 172.18.124.112 host 192.168.1.2 eq 514
pager lines 24
logging on
logging trap debugging
logging history debugging

!--- Define logging host information.

logging facility 16
logging host inside 172.18.124.112
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 192.168.1.1 255.255.255.0
ip address inside 172.18.124.211 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.4

!--- Bypass NAT for IPsec traffic.

nat (inside) 0 access-list 101
conduit permit udp any any 
conduit permit tcp any any 
conduit permit icmp any any 
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius
http server enable
http 172.18.124.112 255.255.255.255 inside

!--- Define SNMP configuration.

snmp-server host inside 172.18.124.112
no snmp-server location
no snmp-server contact
snmp-server community test
snmp-server enable traps
floodguard enable

!--- IPsec configuration. 

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 192.168.1.2
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:03b5bc406e18006616ffbaa32caeccd1
: end

远程 PIX 防火墙 (PIX 515)
PIX Version 6.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password OnTrBUG1Tp0edmkr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX515A
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- This ACL defines IPsec interesting traffic.
!--- This line covers traffic between the LAN segment behind two PIXes.
!--- It also covers the SNMP/syslog traffic between the SNMP/syslog server
!--- and the network devices located on the Ethernet segment behind PIX 515.

access-list 101 permit ip 10.99.99.0 255.255.255.0 172.18.124.0 255.255.255.0

 
!--- These lines cover SNMP (TCP/UDP port - 161), SNMP TRAPS (TCP/UDP port - 162) and 
!--- syslog traffic (UDP port - 514) sent from this PIX outside interface 
!--- to the SYSLOG server.

access-list 101 permit tcp host 192.168.1.2 host 172.18.124.112 eq 161 
access-list 101 permit udp host 192.168.1.2 host 172.18.124.112 eq 161
access-list 101 permit tcp host 192.168.1.2 host 172.18.124.112 eq 162
access-list 101 permit udp host 192.168.1.2 host 172.18.124.112 eq 162
access-list 101 permit udp host 192.168.1.2 host 172.18.124.112 eq 514

pager lines 24
logging on
logging timestamp
logging monitor debugging
logging trap debugging
logging history debugging

!--- Define syslog server.

logging facility 23
logging host outside 172.18.124.112
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.99.99.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.3

!--- Bypass NAT for IPsec traffic.

nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
http server enable
http 10.99.99.99 255.255.255.255 inside

!--- Define SNMP server.

snmp-server host outside 172.18.124.112
no snmp-server location
no snmp-server contact
snmp-server community test
snmp-server enable traps
floodguard enable

!--- IPsec configuration.

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 192.168.1.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:edb21b64ab79eeb6eaf99746c94a1e36
: end

SNMP 和系统日志服务器安装信息

HPOV 6.1 用作 SNMP 服务器应用程序。

在收集系统日志时使用系统日志 demon (syslogd),并根据PIX防火墙上配置的登录设备,在不同文件配置中保存来自本地和远程PIX的系统日志信息。

/etc/syslog.conf 文件具有:

local0.debug /var/log/local.log 
local7.debug /var/log/remote.log 

在本地 PIX 配置上,logging facility 16 对应于 LOCAL0。

在远程 PIX 配置上,logging facility 23 对应于 LOCAL7。

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 必须在配置模式下执行 clear 命令。

  • clear crypto ipsec sa - 在尝试协商 VPN 隧道失败后重置 IPsec 关联。

  • clear crypto isakmp sa - 在尝试协商 VPN 隧道失败后重置 Internet 安全连接和密钥管理协议 (ISAKMP) 安全关联。

  • show crypto engine ipsec - 显示加密的会话。

故障排除

故障排除命令

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • debug crypto ipsec - 用于查看客户端是否协商 VPN 连接的 IPSec 部分。

  • debug crypto isakmp - 用于查看对等体是否协商 VPN 连接的 ISAKMP 部分。

调试输出示例

SNMP 输出

下面的示例演示如何使用 snmpwalk 来监视两个 PIX 防火墙的缓冲区使用率。缓冲区状态的对象标识符 (OID) 为:

"cfwBufferStatsTable"     "1.3.6.1.4.1.9.9.147.1.2.2.1"
  • 监视远程 PIX 防火墙:

    Script started on Tue Oct 09 21:53:54 2001
    # ./snmpwalk -c test 192.168.1.2 1.3.6.1.4.1.9.9.147.1.2.2.1
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.3 : OCTET STRING- (ascii):  
    maximum number of allocated 4 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.
    cfwBufferStatsEntry.cfwBufferStatInformation.4.5 : 
    OCTET STRING- (ascii):  fewest 4 byte blocks available since 
    system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.8 : OCTET STRING- (ascii):  
    current number of available 4 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.3 : OCTET STRING- (ascii): 
    maximum number of allocated 80 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.5 : OCTET STRING- (ascii): 
    fewest 80 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.8 : OCTET STRING- (ascii): 
    current number of available 80 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.3 : OCTET STRING- (ascii):        
    maximum number of allocated 256 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.5 : OCTET STRING- (ascii):        
    fewest 256 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.8 : OCTET STRING- (ascii):        
    current number of available 256 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.3 : OCTET STRING- (ascii):       
    maximum number of allocated 1550 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.5 : OCTET STRING- (ascii):       
    fewest 1550 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.8 : OCTET STRING- (ascii):       
    current number of available 1550 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.3 : OCTET STRING- (ascii):      
    maximum number of allocated 2560 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.5 : OCTET STRING- (ascii):       
    fewest 2560 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.8 : OCTET STRING- (ascii):       
    current number of available 2560 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.3 : Gauge32: 1600
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.5 : Gauge32: 1599
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.8 : Gauge32: 1600
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.3 : Gauge32: 400
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.5 : Gauge32: 399
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.8 : Gauge32: 400
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.3 : Gauge32: 750
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.5 : Gauge32: 746
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.8 : Gauge32: 749
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.3 : Gauge32: 1956
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.5 : Gauge32: 1166
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.8 : Gauge32: 1188
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.3 : Gauge32: 200
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.5 : Gauge32: 196
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.8 : Gauge32: 199
  • 监视本地 PIX 防火墙:

    Script started on Tue Oct 09 21:54:53 2001
    # ./snmpwalk -c test 172.18.124.211  1.3.6.1.4.1.9.9.147.1.2.2.1
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.3 : OCTET STRING- (ascii):  
    maximum number of allocated 4 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.5 : OCTET STRING- (ascii):  
    fewest 4 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.8 : OCTET STRING- (ascii):  
    current number of available 4 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.3 : OCTET STRING- (ascii): 
    maximum number of allocated 80 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.5 : OCTET STRING- (ascii): 
    fewest 80 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.8 : OCTET STRING- (ascii): 
    current number of available 80 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.3 : OCTET STRING- (ascii):        
    maximum number of allocated 256 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.5 : OCTET STRING- (ascii):        
    fewest 256 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.8 : OCTET STRING- (ascii):        
    current number of available 256 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.3 : OCTET STRING- (ascii):       
    maximum number of allocated 1550 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.5 : OCTET STRING- (ascii):       
    fewest 1550 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.8 : OCTET STRING- (ascii):       
    current number of available 1550 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.3 : OCTET STRING- (ascii):       
    maximum number of allocated 2560 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.5 : OCTET STRING- (ascii):       
    fewest 2560 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.8 : OCTET STRING- (ascii):       
    current number of available 2560 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.3 : Gauge32: 1600
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.5 : Gauge32: 1599
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.8 : Gauge32: 1600
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.3 : Gauge32: 400
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.5 : Gauge32: 397
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.8 : Gauge32: 400
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.3 : Gauge32: 1500
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.5 : Gauge32: 1497
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.8 : Gauge32: 1499
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.3 : Gauge32: 2468
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.5 : Gauge32: 1686
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.8 : Gauge32: 1700
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.3 : Gauge32: 200
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.5 : Gauge32: 198
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.8 : Gauge32: 199

show block 命令

cfw 缓冲区统计表的 snmpwalk 输出对应于远程 PIX 上的以下 show 命令。

PIX-515A#show block
大小 最大 CNT
4 1600 1599 1600
80 400 399 400
256 750 746 749
1550 1956年 1166 1188
2560 200 196 199

cfw 缓冲区统计表的 snmpwalk 输出对应于本地 PIX 上的以下 show 命令。

PIX-520B#show block
大小 最大 CNT
4 1600 1599 1600
80 400 397 400
256 1500 1497 1499
1550 2468 1686 1700
2560 200 198 199

验证 IPSec 隧道

  • 远程 show crypto ipsec sa

    PIX515A#show crypto ipsec sa 
    
    
    interface: outside
        Crypto map tag: vpn, local addr. 192.168.1.2
    
       local  ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (172.18.124.0/255.255.255.0/0/0)
       current_peer: 192.168.1.1
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 1962, #pkts encrypt: 1962, #pkts digest 1962
        #pkts decaps: 1963, #pkts decrypt: 1963, #pkts verify 1963
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, 
        #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
         local crypto endpt.: 192.168.1.2, remote crypto endpt.: 
            192.168.1.1
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 3411a392
    
         inbound esp sas:
          spi: 0x554ad733(1430968115)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 4, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4608000/28472)
            IV size: 8 bytes
            replay detection support: Y
          spi: 0x63a866ca(1671980746)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607747/27373)
            IV size: 8 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x3411a392(873571218)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 3, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4608000/28463)
            IV size: 8 bytes
            replay detection support: Y
          spi: 0x7523ba4a(1965275722)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 1, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607798/27366)
            IV size: 8 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
    
    
    
       local  ident (addr/mask/prot/port): 
          (192.168.1.2/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): 
          (172.18.124.112/255.255.255.255/0/0)
       current_peer: 192.168.1.1
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 26, #pkts encrypt: 26, #pkts digest 26
        #pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, 
        #pkts decompress failed: 0
        #send errors 12, #recv errors 0
    
         local crypto endpt.: 192.168.1.2, remote crypto endpt.: 
            192.168.1.1
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 326421ac
    
         inbound esp sas:
          spi: 0x6eeec108(1861140744)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 6, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4608000/28159)
            IV size: 8 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
       outbound esp sas:
          spi: 0x326421ac(845423020)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 5, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607994/28159)
            IV size: 8 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
  • 本地 show crypto ipsec sa

    PIX-520B#show crypto ipsec sa 
    
    interface: outside
        Crypto map tag: vpn, local addr. 192.168.1.1
    
       local  ident (addr/mask/prot/port): (172.18.124.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0)
       current_peer: 192.168.1.2
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 4169, #pkts encrypt: 4169, #pkts digest 4169
        #pkts decaps: 4168, #pkts decrypt: 4168, #pkts verify 4168
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, 
        #pkts decompress failed: 0
        #send errors 2, #recv errors 0
    
         local crypto endpt.: 192.168.1.1, remote crypto endpt.: 
            192.168.1.2
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 63a866ca
    
         inbound esp sas:
          spi: 0x7523ba4a(1965275722)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 4, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607560/28160)
            IV size: 8 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x63a866ca(1671980746)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 3, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607705/28151)
            IV size: 8 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
    
    
    
       local  ident (addr/mask/prot/port): 
          (172.18.124.112/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): 
          (192.168.1.2/255.255.255.255/0/0)
       current_peer: 192.168.1.2
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8
        #pkts decaps: 32, #pkts decrypt: 32, #pkts verify 32
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, 
        #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
         local crypto endpt.: 192.168.1.1, remote crypto endpt.: 
            192.168.1.2
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 6eeec108
    
         inbound esp sas:
          spi: 0x326421ac(845423020)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607993/27715)
            IV size: 8 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x6eeec108(1861140744)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 1, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4608000/27706)
            IV size: 8 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:

系统日志输出

  • 远程 syslog 输出:

    #more /var/log/remote.log
    
    Oct 11 22:28:08 192.168.1.2 Oct 11 2001 18:08:01: %PIX-6-302010: 
    0 in use, 4 most used
    Oct 11 22:28:08 192.168.1.2 Oct 11 2001 18:08:01: %PIX-6-302010: 
    0 in use, 4 most used
    Oct 11 22:38:07 192.168.1.2 Oct 11 2001 18:18:01: %PIX-6-302010: 
    0 in use, 4 most used
    Oct 11 22:38:07 192.168.1.2 Oct 11 2001 18:18:01: %PIX-6-302010: 
    0 in use, 4 most used
    Oct 11 22:47:50 192.168.1.2 Oct 11 2001 18:27:44: %PIX-5-111007: 
    Begin configuration: console reading from terminal
    Oct 11 22:47:50 192.168.1.2 Oct 11 2001 18:27:44: %PIX-5-111007: 
    Begin configuration: console reading from terminal
    Oct 11 22:47:57 192.168.1.2 Oct 11 2001 18:27:51: %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:47:57 192.168.1.2 Oct 11 2001 18:27:51: %PIX-5-111005: 
    console end configuration: OK
  • 本地 syslog 输出:

    #more /var/log/local.log
    
    Oct 11 22:54:03 [172.18.124.211.2.2] %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:54:03 [172.18.124.211.2.2] %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:54:07 [172.18.124.211.2.2] %PIX-5-111007: Begin configuration: 
    console reading from terminal
    Oct 11 22:54:07 [172.18.124.211.2.2] %PIX-5-111007: Begin configuration: 
    console reading from terminal
    Oct 11 22:54:11 [172.18.124.211.2.2] %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:54:11 [172.18.124.211.2.2] %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:54:26 [172.18.124.211.2.2] %PIX-6-302010: 
       0 in use, 9 most used
    Oct 11 22:54:26 [172.18.124.211.2.2] %PIX-6-302010: 
       0 in use, 9 most used

报告TAC案例应收集的信息

如果您在按照本文档中的故障排除步骤操作后还需要帮助,并且希望通过 Cisco TAC 开立服务请求,请确保包括此信息,以排除 PIX 防火墙故障。
  • 问题说明和相关拓扑详细信息
  • 在开立服务请求之前执行的故障排除
  • show tech-support 命令的输出
  • 运行 logging buffered debugging 命令show log 命令的输出,或演示问题的控制台捕获信息(如果可用)
请将收集到的数据以未压缩的纯文本格式 (.txt) 附加到服务请求中。您能使用服务请求工具(仅适用于注册用户),通过上载方法将信息附加到服务请求上。若无法访问服务请求工具,请将信息以电子邮件附件形式发送到 attach@cisco.com,并在邮件标题栏中输入服务请求编号。


相关信息


Document ID: 4094