Fr Ballecer, and all

[G+_Eddie Foy]

Fr. Ballecer, and all.

On a Cisco 2960 switch, how do I set up a SPAN so I can monitor all internet traffic with Wireshark?  I have it set:

Gi1/0/1 BOTH (goes to router)

Gi1/0/23 Destination (Wireshark machine, also not getting a DHCP lease)

 

(going the other way, wasn't good, knocked all off the internet)

TIA

[G+_Luke Militello]

The below will mirror all traffic from Gi1/0/1 to Gi1/0/23.

 

conf t

int gi1/0/23

port mon gi1/0/1

exit

exit

 

It should be noted that the device connected to Gi1/0/23 does not need to have an IP address, because Wireshark listens in promiscuous mode.

[G+_Eddie Foy]

Thanks!  Forgot that prom mode aspect.  Will pop the WS machine on the LAN via wifi (uhg! its a linux netbook) to play with WS live. 

(syntax on numerous rarely used system/langs is a bear.  Takes a little while and a cheatsheat to shift gears)

[G+_Eddie Foy]

Luke, that prom mode was it.  WS is working as I configured it.  (was using the GUI app)

 

But since you seem to know your stuff, will a 2851 router with Sec Bundle do a typical consumer firewall features?  typical port forwarding.  Even better is ext port can be x-lated to diff intPort?  Just a yes/no is good, I'll RTFM; Just hate searching for hours to find out NO.(waiting for my Itus kickstarter to get in)

[G+_Luke Militello]

Yes, it won't do DPI (like the ITUS via Snort), but you can use reflexive ACL's that will allow for returning packets for a connection that was opened from the inside. Of which, you can set the inactive timeout (typically 300 seconds) which will then close the "hole" that was punched through for that specific host for that specific connection. Amongst other things, you can explicitly drop stuff you don't want or open a port for a legit service you have running on the inside. For the setup to work, you'll need a few things; 1) a NAT pool for the address space you want to permit outside access to, 2) a route-map referenced in the NAT pool for the aforementioned permitted addresses, 3) a standard ACL that contains the permitted addresses that the route-map references, 4) static NAT entries for any ports you want to have exposed to the outside, and 5) an extended ACL on the world facing interface that does your firewall and filtering (which would contain the rules to allow the static NAT port forwards as well). It should be noted that for services like Xbox Live, you don't need to forward ports with static NAT entries because the reflexive ACL lines contained within the extended ACL handle this -- a crude comparison, kind of like UPnP in the ACL. I should also mention you should used named ACL's because these can be modified on the fly via a sequence number for each line versus the old method of which you had to delete and recreate the entire ACL just to make a simple rule change. I gave you all the key terminology that you'll want to Google for. There are several Cisco PDF's that walk through this step-by-step. If you are having trouble finding them, let me know and I'll hunt them down and post some links for you or script up some examples. Hope this helps!

[G+_Eddie Foy]

Cool!  Thanks man, REALLY appreciate it!  Once I'm done installing this welding robot, gonna play with the 2851 more. (and the oclHashcat machine is running until Sunday-ish :) ) sharpen up the iOS skills/knowledge.  I have a handful of ports to open to the internet for incoming connections.  DPI isn't wanted at this point (and probably a bear in iOS anyways)