[cisco-nas] As5300 crashes

Pierre Nepveu pnepveu at videotron.net
Fri Oct 31 14:13:40 EST 2003 

if this may help :

we've applied pretty drastic measures. We block all incoming tcp/135 and all 
icmp from modems. We also have an anti-sppofing measure. The access-list
is quite simple :
access-list 109 deny   tcp any any eq 135 log
access-list 109 deny   icmp any any log
access-list 109 permit ip <adress range for this NAS> any
access-list 109 deny   ip any any

It is applied thusly :
interface Group-Async1
 ip access-group 109 in

The 'log' instruction sends violations of the rules to a syslog server. There,
we can compile this info to detect who is infected.

Since implementing these measures, we have stopped crashes (and, since our boxes
are 5200's, they were crashing much more often that your's).

-------------------------------------------------------------------
Pierre Nepveu, CCNP                    tel: +1 514.380-4289 
Administrateur de reseau                    +1 888.INFOVTL x 4289
Ingenierie / Acces Internet            fax: +1 514 899-8452
Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
-------------------------------------------------------------------


Le 2003-10-31 à 10:51, John Lord a écrit:

JL> Is anyone still having problems with worms crashing their nas's I have
JL> an as5300 that is still locking up every couple weeks , ive added no ip
JL> route-cache and ip cef to it but if I don't watch my network and kill
JL> off infected users it will lockup every day , is there a fix or
JL> something I need to add to my config? Here is my config below
JL> 
JL> As5300-Oc#sh conf
JL> Using 4638 out of 124920 bytes
JL> !
JL> version 12.2
JL> service timestamps debug datetime msec localtime show-timezone
JL> service timestamps log datetime msec localtime show-timezone
JL> service password-encryption
JL> !
JL> hostname As5300-Oc
JL> !
JL> boot system flash:c5300-i-mz.122-15.T1.bin
JL> logging queue-limit 100
JL> logging buffered 10000 debugging
JL> no logging console
JL> enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
JL> !
JL> username xxxxx password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
JL> spe 1/0 1/7
JL>  firmware location bootflash:mica-modem-pw.2.9.4.0.bin
JL> spe 2/0 2/7
JL>  firmware location bootflash:mica-modem-pw.2.9.4.0.bin
JL> !
JL> !
JL> resource-pool disable
JL> !
JL> modem link-info poll time 10
JL> aaa new-model
JL> !
JL> !
JL> aaa authentication login default local group radius
JL> aaa authentication login consoleport none
JL> aaa authentication ppp default if-needed group radius
JL> aaa authorization network default group radius 
JL> aaa accounting delay-start 
JL> aaa accounting update periodic 5
JL> aaa accounting exec default start-stop group radius
JL> aaa accounting network default start-stop group radius
JL> aaa session-id common
JL> ip subnet-zero
JL> 
JL> ip cef
JL> ip finger
JL> ip name-server 65.xxx.xxx.xxx
JL> !
JL> async-bootp dns-server 65.xxx.xxx.xxx 65.xxx.xxx.xxx
JL> !
JL> isdn switch-type primary-dms100
JL> isdn voice-call-failure 0
JL> modemcap entry
JL> mica-nokflex:MSC=&F&D2S54=16584S0=0S29=12S21=15S62=8S63=3S34=18000S40=10
JL> S10=50
JL> !
JL> !
JL> controller T1 0
JL>  framing esf
JL>  clock source line primary
JL>  linecode b8zs
JL>  pri-group timeslots 1-24 nfas_d primary nfas_int 0 nfas_group 0
JL> !         
JL> controller T1 1
JL>  framing esf
JL>  clock source line secondary 1
JL>  linecode b8zs
JL>  pri-group timeslots 1-24 nfas_d backup nfas_int 1 nfas_group 0
JL> !
JL> controller T1 2
JL>  framing esf
JL>  linecode b8zs
JL>  pri-group timeslots 1-24
JL> !
JL> controller T1 3
JL>  framing esf
JL>  linecode b8zs
JL>  pri-group timeslots 1-24
JL> !
JL> controller T1 4
JL>  shutdown
JL>  framing sf
JL>  linecode ami
JL> !
JL> controller T1 5
JL>  shutdown
JL>  framing sf
JL>  linecode ami
JL> !
JL> controller T1 6
JL>  shutdown
JL>  framing sf
JL>  linecode ami
JL> !
JL> controller T1 7
JL>  shutdown
JL>  framing sf
JL>  linecode ami
JL> !
JL> !
JL> interface Loopback0
JL>  ip address 65.xxx.xxx.xxx 255.255.255.128
JL> !
JL> interface Serial0:23
JL>  ip unnumbered Loopback0
JL>  encapsulation ppp
JL>  no ip route-cache
JL>  dialer-group 1
JL>  isdn switch-type primary-dms100
JL>  isdn incoming-voice modem
JL>  peer default ip address pool setup_pool
JL>  fair-queue 64 256 0
JL>  ppp authentication pap
JL>  ppp multilink
JL> !
JL> interface Serial2:23
JL>  ip unnumbered Loopback0
JL>  encapsulation ppp
JL>  no ip route-cache
JL>  dialer-group 1
JL>  isdn switch-type primary-dms100
JL>  isdn incoming-voice modem
JL>  peer default ip address pool setup_pool
JL>  fair-queue 64 256 0
JL>  ppp authentication pap
JL>  ppp multilink
JL> !
JL> interface Serial3:23
JL>  ip unnumbered Loopback0
JL>  encapsulation ppp
JL>  no ip route-cache
JL>  dialer-group 1
JL>  isdn switch-type primary-dms100
JL>  isdn incoming-voice modem
JL>  peer default ip address pool setup_pool
JL>  fair-queue 64 256 0
JL>  ppp authentication pap
JL>  ppp multilink
JL> !
JL> interface FastEthernet0
JL>  ip address 65.xxx.xxx.xxx 255.255.255.0
JL>  no ip unreachables
JL>  duplex full
JL>  speed 100
JL>  no cdp enable
JL> !
JL> interface Group-Async1
JL>  ip unnumbered Loopback0
JL>  no ip unreachables
JL>  encapsulation ppp
JL>  ip tcp header-compression
JL>  async mode interactive
JL>  peer default ip address pool setup_pool
JL>  no keepalive
JL>  ppp authentication pap
JL>  group-range 1 192
JL> !
JL> ip local pool setup_pool 65.xxx.xxx.xxx 65.xxx.xxx.xxx
JL> ip classless
JL> ip route 0.0.0.0 0.0.0.0 65.xxx.xxx.xxx
JL> no ip http server
JL> !
JL> !
JL> !
JL> !
JL> access-list 101 permit ip any any
JL> access-list 110 permit tcp any any established
JL> access-list 110 deny   icmp any any echo log
JL> access-list 110 deny   icmp any any echo-reply log
JL> access-list 110 permit ip any any
JL> dialer-list 1 protocol ip permit
JL> snmp-server engineID local 000000090200003080BD40CA
JL> snmp-server community xxxxxx RO
JL> snmp-server enable traps tty
JL> radius-server host 65.xxx.xxx.xxx auth-port 1812 acct-port 1813
JL> non-standard
JL> radius-server key 7 xxxxxxxxxx
JL> radius-server authorization permit missing Service-Type
JL> !
JL> line con 0
JL>  exec-timeout 0 0
JL>  logging synchronous
JL> line 1 192
JL>  no flush-at-activation
JL>  modem Dialin
JL>  modem autoconfigure type mica-nokflex
JL>  autocommand  ppp
JL>  autoselect during-login
JL>  autoselect ppp
JL> line aux 0
JL> line vty 0 4
JL>  exec-timeout 0 0
JL>  password 7 xxxxxxxxxxxxx
JL> !
JL> scheduler interval 1000
JL> end
JL> 
JL> John Lord
JL> It Manager
JL> AllTurbo Internet Services Inc
JL> 410-213-9388 Office
JL> www.allturbo.com
JL> 
JL> 
JL> _______________________________________________
JL> cisco-nas mailing list
JL> cisco-nas at puck.nether.net
JL> https://puck.nether.net/mailman/listinfo/cisco-nas
JL>

More information about the cisco-nas mailing list