Cisco - pix 515 широковещательный шторм на outside

Cisco - pix 515 широковещательный шторм на outside

advanced

Новый участник

Сообщения: 7
Благодарности: 0

Здравствуйте!

Имеется сетка с выходом в интернет через PIX 515. Простой ethernet без всяких PPP.
Некоторое время назад начались кратковременные "разрывы"
Буквально на 5 секунд оторвется раз в час и дальше нормально.
В последнее время такие случаи участились и после неформального общения с представителями провайдера выяснилось, что причинами разрывов являются блокировки порта из-за широковещательных штормов.

Собссно вопрос: как широковещательные пакеты могут проскакивать через PIX со следующей конфой?:

Код:

run# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
hostname run
domain-name example.com
clock timezone YEKST 5
clock summer-time YEKDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service GlobalToGateServerGroup tcp
  port-object eq domain
  port-object eq www
  port-object eq smtp
  port-object range ftp-data ftp
access-list 101 permit icmp any host OUTSIDE_IP
access-list 101 permit tcp any host OUTSIDE_IP eq www
access-list 101 permit tcp any host OUTSIDE_IP eq https
access-list 101 permit tcp any host OUTSIDE_IP object-group GlobalToGateServerGroup9
access-list 101 permit tcp any host OUTSIDE_IP eq 33728
access-list 101 permit tcp any host OUTSIDE_IP eq smtp
access-list 101 permit udp any host OUTSIDE_IP eq 33728
access-list 101 permit tcp any host OUTSIDE_IP eq 11157
access-list 101 permit tcp any host OUTSIDE_IP eq 62210
access-list 101 permit tcp any host OUTSIDE_IP eq pptp
access-list 101 permit gre any host OUTSIDE_IP
access-list 100 permit tcp host COMP07 any
access-list 100 permit icmp any any
access-list 100 permit tcp host COMP08 any
access-list 100 permit tcp host PROXY2 any eq www
access-list 100 permit tcp host PROXY2 any eq https
access-list 100 permit udp host PROXY2 any eq domain
access-list 100 permit udp host COMP08 any eq domain
access-list 100 permit tcp host SERVER33 any
access-list 100 permit tcp host COMP_01 any
access-list 100 permit tcp host AINTISPAM any eq smtp
access-list 100 permit udp host AINTISPAM any eq domain
access-list 100 permit tcp host AINTISPAM any eq https
access-list 100 permit udp host COMP08 any
access-list 100 permit udp host SERVER170 any eq domain
access-list 100 permit udp host COMP_127 any
access-list 100 permit udp host COMP_128 any
access-list 100 permit tcp host COMP_128 any
access-list 100 permit tcp host VPNPOOL20 any
access-list 50 permit tcp DMZ_NET 255.255.255.0 any eq domain
access-list 50 permit tcp DMZ_NET 255.255.255.0 any eq ident
access-list 50 permit icmp any any
access-list 50 permit tcp host DMZ_IP any eq telnet
access-list 50 permit tcp host DMZ_IP any eq 7235
access-list 50 permit tcp host DMZ_IP any eq 1024
access-list 50 permit tcp host DMZ_IP host 195.68.156.154 eq pptp
access-list 50 permit tcp host DMZ_IP host 217.12.97.25 eq lotusnotes
access-list 50 permit tcp host DMZ_IP any eq ftp
access-list 50 permit tcp host DMZ_IP any eq 4443
access-list 50 permit tcp host DMZ_IP any eq 2847
access-list 50 permit tcp host DMZ_IP any eq 2848
access-list 50 permit tcp host DMZ_IP any eq 8333
access-list 50 permit tcp host DMZ_IP any eq pop3
access-list 50 permit tcp host DMZ_IP any eq https
access-list 50 permit tcp host DMZ_IP any eq www
access-list 50 permit tcp host DMZ_IP any range 6666 6670
access-list 50 permit tcp host DMZ_IP any eq 9091
access-list 50 permit tcp host DMZ_IP any eq 2802
access-list 50 permit tcp host DMZ_IP any eq smtp
access-list 50 permit tcp host DMZ_IP any eq ident
access-list 50 permit tcp host DMZ_IP any eq 8420
access-list 50 permit tcp host DMZ_IP any eq 8000
access-list 50 permit tcp host DMZ_IP any eq 8080
access-list 50 permit tcp host DMZ_IP any eq 6667
access-list 50 permit tcp host DMZ_IP any eq aol
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside OUTSIDE_IP 255.255.255.240
ip address inside INSIDE_IP 255.255.0.0
ip address dmz DMZ_IP 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit name attack attack action alarm drop
ip audit interface outside attack
ip audit interface inside attack
ip audit info action alarm
ip audit attack action alarm
pdm location DMZ_IP 255.255.255.255 inside
pdm location COMP07 255.255.255.255 inside
pdm location COMP08 255.255.255.255 inside
pdm location DMZ_IP 255.255.255.255 dmz
pdm location PROXY2 255.255.255.255 inside
pdm location SERVER22 255.255.255.255 inside
pdm location SERVER33 255.255.255.255 inside
pdm location SERVER170 255.255.255.255 inside
pdm location COMP_7 255.255.255.255 inside
pdm location COMP_17 255.255.255.255 inside
pdm location COMP_97 255.255.255.255 inside
pdm location COMP_127 255.255.255.255 inside
pdm location COMP_01 255.255.255.255 inside
pdm location COMP_230 255.255.255.255 inside
pdm location AINTISPAM 255.255.255.255 inside
pdm location COMP_128 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) tcp OUTSIDE_IP www DMZ_IP www netmask 255.255.255.255 0 0
static (dmz,outside) tcp OUTSIDE_IP https DMZ_IP https netmask 255.255.255.255 0 0
static (inside,outside) tcp OUTSIDE_IP 63080 PROXY2 8080 netmask 255.255.255.255 0 00
static (inside,outside) tcp OUTSIDE_IP smtp AINTISPAM smtp netmask 255.255.255.255 0 0
static (inside,outside) udp OUTSIDE_IP 33728 COMP08 33728 netmask 255.255.255.255 0 0
static (inside,outside) tcp OUTSIDE_IP 11157 COMP_01 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp OUTSIDE_IP 62210 COMP_230 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp OUTSIDE_IP 33725 COMP_127 33725 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 100 in interface inside
access-group 50 in interface dmz
route outside 0.0.0.0 0.0.0.0 OUTSIDE_IP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http DMZ_IP 255.255.255.255 inside
http COMP07 255.255.255.255 inside
http COMP08 255.255.255.255 inside
http COMP_127 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp outside
telnet COMP07 255.255.255.255 inside
telnet COMP08 255.255.255.255 inside
telnet COMP_127 255.255.255.255 inside
telnet DMZ_IP 255.255.255.255 dmz
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8750fdc2a4db52361374bb1f56db1471
: end

Отправлено: 11:40, 12-11-2010