Seguridad : Dispositivos de seguridad Cisco PIX de la serie 500

Supervisión de Cisco Secure PIX Firewall con SNMP y Syslog mediante túnel VPN.

18 Octubre 2015 - Traducción Automática
Otras Versiones: PDFpdf | Inglés (22 Agosto 2015) | Comentarios


Contenido


Introducción

Los firewalls Cisco Secure PIX son de uso general en el despliegue de VPN de sitio a sitio donde se utilizan PIX como dispositivos de terminación VPN IPSec. Ya sea en el sencillo diseño sitio a sitio o en el más complicado diseño de hub y spoke, hay ocasiones en las que se desea monitorear todos los firewalls PIX utilizando el servidor Simple Network Management Protocol (SNMP) y el servidor syslog ubicados en un sitio central.

Nota: Para configurar PIX 7.x usando el SNMP y el Syslog con un VPN haga un túnel, refiera al PIX/ASA 7.x con el ejemplo de la configuración de syslog.

prerrequisitos

Requisitos

No hay requisitos específicos para este documento.

Componentes Utilizados

La información que contiene este documento se basa en las siguientes versiones de software y hardware.

  • Versión de Software Cisco PIX Firewall 6.3(3)

  • Firewall PIX 520 y 515

  • Un sistema Solaris que ejecuta el HPOV.6.1 como un SNMP y servidor de Syslog

La información que contiene este documento se creó a partir de los dispositivos en un ambiente de laboratorio específico. Todos los dispositivos que se utilizan en este documento se pusieron en funcionamiento con una configuración verificada (predeterminada). Si la red está funcionando, asegúrese de haber comprendido el impacto que puede tener cualquier comando.

Convenciones

Consulte Convenciones de Consejos TécnicosCisco para obtener más información sobre las convenciones del documento.

Antecedentes

Refiérase con el SNMP con el Cisco Secure PIX Firewall para información general sobre cómo utilizar el SNMP para monitorear el Cisco Secure PIX Firewall.

Refiera a configurar el syslog PIX para información general sobre cómo poner el Syslog en el Cisco Secure PIX Firewall.

Éstas son las metas para esta configuración de muestra:

  • Tenga datos entre las redes 10.99.99.x y 172.18.124.x cifradas. Esto incluye syslog y SNMP entre la red 10.99.99.x y el servidor SNMP/syslog 172.18.124.112.

  • La capacidad de hacer que ambo PIXes envíe el Syslog al servidor del SNMP/syslog.

  • La capacidad de hacer las interrogaciones SNMP a y de enviar los desvíos de ambo PIXes al servidor del SNMP/syslog.

Configurar

Esta configuración de muestra demuestra cómo monitorear un Cisco Secure PIX Firewall usando el SNMP y el Syslog a través de los túneles existentes VPN.

Diagrama de la red

En este documento, se utiliza esta configuración de red:

http://www.cisco.com/c/dam/en/us/support/docs/security/pix-500-series-security-appliances/4094-pix-vpn-4094a-1.gif

Configuraciones

En este documento, se utilizan estas configuraciones:

Escudo de protección de PIX local (PIX 520)
PIX Version 6.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password OnTrBUG1Tp0edmkr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-520b
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- This access control list (ACL) defines IPsec interesting traffic.
!--- This line covers traffic between the LAN segment behind two PIXes.
!--- It also includes the SNMP/syslog traffic between the SNMP/syslog server
!--- and the network devices located on the Ethernet segment behind the PIX 515.

access-list 101 permit ip 172.18.124.0 255.255.255.0 10.99.99.0 255.255.255.0

!--- These lines cover SNMP (TCP/UDP port - 161), SNMP TRAPS(TCP/UDP port - 162) and 
!--- syslog traffic (UDP port - 514) from SNMP/syslog server to the 
!--- outside interface of the remote PIX.
 
access-list 101 permit tcp host 172.18.124.112 host 192.168.1.2 eq 161
access-list 101 permit udp host 172.18.124.112 host 192.168.1.2 eq 161
access-list 101 permit tcp host 172.18.124.112 host 192.168.1.2 eq 162
access-list 101 permit udp host 172.18.124.112 host 192.168.1.2 eq 162
access-list 101 permit udp host 172.18.124.112 host 192.168.1.2 eq 514
pager lines 24
logging on
logging trap debugging
logging history debugging

!--- Define logging host information.

logging facility 16
logging host inside 172.18.124.112
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 192.168.1.1 255.255.255.0
ip address inside 172.18.124.211 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.4

!--- Bypass NAT for IPsec traffic.

nat (inside) 0 access-list 101
conduit permit udp any any 
conduit permit tcp any any 
conduit permit icmp any any 
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius
http server enable
http 172.18.124.112 255.255.255.255 inside

!--- Define SNMP configuration.

snmp-server host inside 172.18.124.112
no snmp-server location
no snmp-server contact
snmp-server community test
snmp-server enable traps
floodguard enable

!--- IPsec configuration. 

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 192.168.1.2
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:03b5bc406e18006616ffbaa32caeccd1
: end

PIX Firewall remoto (PIX 515)
PIX Version 6.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password OnTrBUG1Tp0edmkr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX515A
domain-name cisco.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- This ACL defines IPsec interesting traffic.
!--- This line covers traffic between the LAN segment behind two PIXes.
!--- It also covers the SNMP/syslog traffic between the SNMP/syslog server
!--- and the network devices located on the Ethernet segment behind PIX 515.

access-list 101 permit ip 10.99.99.0 255.255.255.0 172.18.124.0 255.255.255.0

 
!--- These lines cover SNMP (TCP/UDP port - 161), SNMP TRAPS (TCP/UDP port - 162) and 
!--- syslog traffic (UDP port - 514) sent from this PIX outside interface 
!--- to the SYSLOG server.

access-list 101 permit tcp host 192.168.1.2 host 172.18.124.112 eq 161 
access-list 101 permit udp host 192.168.1.2 host 172.18.124.112 eq 161
access-list 101 permit tcp host 192.168.1.2 host 172.18.124.112 eq 162
access-list 101 permit udp host 192.168.1.2 host 172.18.124.112 eq 162
access-list 101 permit udp host 192.168.1.2 host 172.18.124.112 eq 514

pager lines 24
logging on
logging timestamp
logging monitor debugging
logging trap debugging
logging history debugging

!--- Define syslog server.

logging facility 23
logging host outside 172.18.124.112
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.99.99.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.3

!--- Bypass NAT for IPsec traffic.

nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
http server enable
http 10.99.99.99 255.255.255.255 inside

!--- Define SNMP server.

snmp-server host outside 172.18.124.112
no snmp-server location
no snmp-server contact
snmp-server community test
snmp-server enable traps
floodguard enable

!--- IPsec configuration.

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 192.168.1.1
crypto map vpn 10 set transform-set myset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.1 netmask 255.255.255.255 
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:edb21b64ab79eeb6eaf99746c94a1e36
: end

Información de configuración del servidor del registro de sistema y SNMP

El HPOV.6.1 se utiliza como la aplicación de servidor SNMP.

Para la recolección de registro del sistema, se utiliza el daemon de registro del sistema (syslogd) y la información de registro del sistema (Syslog) desde el PIX local y el PIX remoto se almacena en distintos archivos basados en el recurso de registro configurado en el Firewall de PIX.

El archivo de /etc/syslog.conf tiene:

local0.debug /var/log/local.log 
local7.debug /var/log/remote.log 

En la configuración del PIX local, el logging facility 16 corresponde al LOCAL0.

En la configuración del PIX remoto, el logging facility 23 corresponde al LOCAL7.

Verificación

Use esta sección para confirmar que su configuración funciona correctamente.

La herramienta Output Interpreter Tool (clientes registrados solamente) (OIT) soporta ciertos comandos show. Utilice la OIT para ver un análisis del resultado del comando show.

Nota: Los comandos clear deben ejecutarse en modo config.

  • clear crypto ipsec sa — Reajusta las asociaciones del IPSec después de los intentos fallidos de negociar un túnel VPN.

  • clear crypto isakmp sa — Reajusta a las asociaciones de seguridad del Internet Security Association and Key Management Protocol (ISAKMP) después de los intentos fallidos de negociar un túnel VPN.

  • show crypto engine ipsec — Visualiza a las sesiones encriptadas.

Troubleshooting

Comandos para resolución de problemas

La herramienta Output Interpreter Tool (clientes registrados solamente) (OIT) soporta ciertos comandos show. Utilice la OIT para ver un análisis del resultado del comando show.

Nota: Consulte Información Importante sobre Comandos de Debug antes de usar un comando debug.

  • IPSec del debug crypto — Utilizado para ver si un cliente negocia porción IPSec de la conexión VPN.

  • isakmp del debug crypto — Utilizado para ver si los pares negocian la porción ISAKMP de la conexión VPN.

Ejemplo de resultado del comando debug

Salida de SNMP

Estos ejemplos demuestran cómo utilizar el snmpwalk para monitorear la utilización del almacén intermedio de ambos Firewall PIX. El identificador de objetos (OID) para el estado de la memoria intermedia es:

"cfwBufferStatsTable"     "1.3.6.1.4.1.9.9.147.1.2.2.1"
  • Monitoree el Firewall del PIX remoto:

    Script started on Tue Oct 09 21:53:54 2001
    # ./snmpwalk -c test 192.168.1.2 1.3.6.1.4.1.9.9.147.1.2.2.1
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.3 : OCTET STRING- (ascii):  
    maximum number of allocated 4 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.
    cfwBufferStatsEntry.cfwBufferStatInformation.4.5 : 
    OCTET STRING- (ascii):  fewest 4 byte blocks available since 
    system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.8 : OCTET STRING- (ascii):  
    current number of available 4 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.3 : OCTET STRING- (ascii): 
    maximum number of allocated 80 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.5 : OCTET STRING- (ascii): 
    fewest 80 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.8 : OCTET STRING- (ascii): 
    current number of available 80 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.3 : OCTET STRING- (ascii):        
    maximum number of allocated 256 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.5 : OCTET STRING- (ascii):        
    fewest 256 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.8 : OCTET STRING- (ascii):        
    current number of available 256 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.3 : OCTET STRING- (ascii):       
    maximum number of allocated 1550 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.
    cfwSystem.cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.5 : OCTET STRING- (ascii):       
    fewest 1550 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.8 : OCTET STRING- (ascii):       
    current number of available 1550 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.3 : OCTET STRING- (ascii):      
    maximum number of allocated 2560 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.5 : OCTET STRING- (ascii):       
    fewest 2560 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.8 : OCTET STRING- (ascii):       
    current number of available 2560 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.3 : Gauge32: 1600
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.5 : Gauge32: 1599
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.8 : Gauge32: 1600
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.3 : Gauge32: 400
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.5 : Gauge32: 399
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.8 : Gauge32: 400
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.3 : Gauge32: 750
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.5 : Gauge32: 746
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.8 : Gauge32: 749
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.3 : Gauge32: 1956
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.5 : Gauge32: 1166
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.8 : Gauge32: 1188
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.3 : Gauge32: 200
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.5 : Gauge32: 196
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.8 : Gauge32: 199
  • Monitoree el escudo de protección de PIX local:

    Script started on Tue Oct 09 21:54:53 2001
    # ./snmpwalk -c test 172.18.124.211  1.3.6.1.4.1.9.9.147.1.2.2.1
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.3 : OCTET STRING- (ascii):  
    maximum number of allocated 4 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.5 : OCTET STRING- (ascii):  
    fewest 4 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.4.8 : OCTET STRING- (ascii):  
    current number of available 4 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.3 : OCTET STRING- (ascii): 
    maximum number of allocated 80 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.5 : OCTET STRING- (ascii): 
    fewest 80 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.80.8 : OCTET STRING- (ascii): 
    current number of available 80 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.3 : OCTET STRING- (ascii):        
    maximum number of allocated 256 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.5 : OCTET STRING- (ascii):        
    fewest 256 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.256.8 : OCTET STRING- (ascii):        
    current number of available 256 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.3 : OCTET STRING- (ascii):       
    maximum number of allocated 1550 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.5 : OCTET STRING- (ascii):       
    fewest 1550 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.1550.8 : OCTET STRING- (ascii):       
    current number of available 1550 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.3 : OCTET STRING- (ascii):       
    maximum number of allocated 2560 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.5 : OCTET STRING- (ascii):       
    fewest 2560 byte blocks available since system startup
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatInformation.2560.8 : OCTET STRING- (ascii):       
    current number of available 2560 byte blocks
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.3 : Gauge32: 1600
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.5 : Gauge32: 1599
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.4.8 : Gauge32: 1600
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.3 : Gauge32: 400
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.5 : Gauge32: 397
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.80.8 : Gauge32: 400
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.3 : Gauge32: 1500
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.5 : Gauge32: 1497
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.256.8 : Gauge32: 1499
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.3 : Gauge32: 2468
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.5 : Gauge32: 1686
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.1550.8 : Gauge32: 1700
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.3 : Gauge32: 200
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.5 : Gauge32: 198
    cisco.ciscoMgmt.ciscoFirewallMIB.ciscoFirewallMIBObjects.cfwSystem.
    cfwStatistics.cfwBufferStatsTable.cfwBufferStatsEntry.
    cfwBufferStatValue.2560.8 : Gauge32: 199

El comando show block

La salida del snmpwalk del Tabla de estadísticas del búfer de cfw corresponde a este comando show en el PIX remoto.

PIX-515A#show block
TAMAÑO MÁX BAJO CNT
4 1600 1599 1600
80 400 399 400
256 750 746 749
1550 1956 1166 1188
2560 200 196 199

La salida del snmpwalk del Tabla de estadísticas del búfer de cfw corresponde a este comando show en el PIX local.

PIX-520B#show block
TAMAÑO MÁX BAJO CNT
4 1600 1599 1600
80 400 397 400
256 1500 1497 1499
1550 2468 1686 1700
2560 200 198 199

Verifique el túnel IPsec

  • Show crypto ipsec sa remoto.

    PIX515A#show crypto ipsec sa 
    
    
    interface: outside
        Crypto map tag: vpn, local addr. 192.168.1.2
    
       local  ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (172.18.124.0/255.255.255.0/0/0)
       current_peer: 192.168.1.1
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 1962, #pkts encrypt: 1962, #pkts digest 1962
        #pkts decaps: 1963, #pkts decrypt: 1963, #pkts verify 1963
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, 
        #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
         local crypto endpt.: 192.168.1.2, remote crypto endpt.: 
            192.168.1.1
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 3411a392
    
         inbound esp sas:
          spi: 0x554ad733(1430968115)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 4, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4608000/28472)
            IV size: 8 bytes
            replay detection support: Y
          spi: 0x63a866ca(1671980746)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607747/27373)
            IV size: 8 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x3411a392(873571218)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 3, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4608000/28463)
            IV size: 8 bytes
            replay detection support: Y
          spi: 0x7523ba4a(1965275722)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 1, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607798/27366)
            IV size: 8 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
    
    
    
       local  ident (addr/mask/prot/port): 
          (192.168.1.2/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): 
          (172.18.124.112/255.255.255.255/0/0)
       current_peer: 192.168.1.1
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 26, #pkts encrypt: 26, #pkts digest 26
        #pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, 
        #pkts decompress failed: 0
        #send errors 12, #recv errors 0
    
         local crypto endpt.: 192.168.1.2, remote crypto endpt.: 
            192.168.1.1
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 326421ac
    
         inbound esp sas:
          spi: 0x6eeec108(1861140744)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 6, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4608000/28159)
            IV size: 8 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
       outbound esp sas:
          spi: 0x326421ac(845423020)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 5, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607994/28159)
            IV size: 8 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
  • IPSec crypto sa de la demostración local:

    PIX-520B#show crypto ipsec sa 
    
    interface: outside
        Crypto map tag: vpn, local addr. 192.168.1.1
    
       local  ident (addr/mask/prot/port): (172.18.124.0/255.255.255.0/0/0)
       remote ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0)
       current_peer: 192.168.1.2
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 4169, #pkts encrypt: 4169, #pkts digest 4169
        #pkts decaps: 4168, #pkts decrypt: 4168, #pkts verify 4168
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, 
        #pkts decompress failed: 0
        #send errors 2, #recv errors 0
    
         local crypto endpt.: 192.168.1.1, remote crypto endpt.: 
            192.168.1.2
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 63a866ca
    
         inbound esp sas:
          spi: 0x7523ba4a(1965275722)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 4, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607560/28160)
            IV size: 8 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x63a866ca(1671980746)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 3, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607705/28151)
            IV size: 8 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:
    
    
    
       local  ident (addr/mask/prot/port): 
          (172.18.124.112/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): 
          (192.168.1.2/255.255.255.255/0/0)
       current_peer: 192.168.1.2
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8
        #pkts decaps: 32, #pkts decrypt: 32, #pkts verify 32
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, 
        #pkts decompress failed: 0
        #send errors 0, #recv errors 0
    
         local crypto endpt.: 192.168.1.1, remote crypto endpt.: 
            192.168.1.2
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 6eeec108
    
         inbound esp sas:
          spi: 0x326421ac(845423020)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4607993/27715)
            IV size: 8 bytes
            replay detection support: Y
    
    
         inbound ah sas:
    
    
         inbound pcp sas:
    
    
         outbound esp sas:
          spi: 0x6eeec108(1861140744)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 1, crypto map: vpn
            sa timing: remaining key lifetime (k/sec): (4608000/27706)
            IV size: 8 bytes
            replay detection support: Y
    
    
         outbound ah sas:
    
    
         outbound pcp sas:

Salida Syslog

  • Syslog remoto hecho salir:

    #more /var/log/remote.log
    
    Oct 11 22:28:08 192.168.1.2 Oct 11 2001 18:08:01: %PIX-6-302010: 
    0 in use, 4 most used
    Oct 11 22:28:08 192.168.1.2 Oct 11 2001 18:08:01: %PIX-6-302010: 
    0 in use, 4 most used
    Oct 11 22:38:07 192.168.1.2 Oct 11 2001 18:18:01: %PIX-6-302010: 
    0 in use, 4 most used
    Oct 11 22:38:07 192.168.1.2 Oct 11 2001 18:18:01: %PIX-6-302010: 
    0 in use, 4 most used
    Oct 11 22:47:50 192.168.1.2 Oct 11 2001 18:27:44: %PIX-5-111007: 
    Begin configuration: console reading from terminal
    Oct 11 22:47:50 192.168.1.2 Oct 11 2001 18:27:44: %PIX-5-111007: 
    Begin configuration: console reading from terminal
    Oct 11 22:47:57 192.168.1.2 Oct 11 2001 18:27:51: %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:47:57 192.168.1.2 Oct 11 2001 18:27:51: %PIX-5-111005: 
    console end configuration: OK
  • Salida de Syslog local:

    #more /var/log/local.log
    
    Oct 11 22:54:03 [172.18.124.211.2.2] %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:54:03 [172.18.124.211.2.2] %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:54:07 [172.18.124.211.2.2] %PIX-5-111007: Begin configuration: 
    console reading from terminal
    Oct 11 22:54:07 [172.18.124.211.2.2] %PIX-5-111007: Begin configuration: 
    console reading from terminal
    Oct 11 22:54:11 [172.18.124.211.2.2] %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:54:11 [172.18.124.211.2.2] %PIX-5-111005: 
    console end configuration: OK
    Oct 11 22:54:26 [172.18.124.211.2.2] %PIX-6-302010: 
       0 in use, 9 most used
    Oct 11 22:54:26 [172.18.124.211.2.2] %PIX-6-302010: 
       0 in use, 9 most used

Información para recopilar si abre un caso del TAC

Si usted todavía necesita la ayuda después de que usted siga los pasos de Troubleshooting en este documento y quiera abrir una solicitud de servicio con el TAC de Cisco, esté seguro de incluir esta información para localizar averías su firewall PIX.
  • Descripción del problema y detalles relevantes de la topología
  • Resolución de problemas realizada antes de abrir el servicio solicitado
  • Resultado del comando show tech-support
  • Resultado del comando show log después de la ejecución con el comando logging buffered debugging o capturas de consola que muestran el problema (si están disponibles)
Adjunte los datos recolectados a su pedido de servicio en formato de texto sin comprimir (.txt). Usted puede adjuntar la información a su solicitud de servicio cargandola usando la herramienta de la solicitud de servicio (clientes registrados solamente). Si usted no puede acceder la herramienta de la solicitud de servicio, usted puede enviar la información en un elemento adjunto de correo electrónico a attach@cisco.com con su número de la solicitud de servicio en los asuntos de su mensaje.

Discusiones relacionadas de la comunidad de soporte de Cisco

La Comunidad de Soporte de Cisco es un foro donde usted puede preguntar y responder, ofrecer sugerencias y colaborar con colegas.


Información Relacionada


Document ID: 4094