I'm facing kind of weird behaviour on a Cisco PIX 515E firewall that I don't understand. I hope someone can explain this:
I have a server on the inside interface of the firewall. I have set an access list on the outside interface to define rules for the incoming traffic towards the server.
The access-list allows certain ports from certain destinations, and at the end i placed a deny any rule.
Now the issue is that when I do a telnet <server_IP> <any port> from outside from any source IP address it looks as if i receive a reply from the server although telneting from a denied source ip address or detination port number.
I set a capture on the inside and outside interfaces of the firewall:
When I telnet from the external client c.c.c.c towards the internal server s.s.s.s on port 98652 (or any other port number), i get the following capture output:
Please note that this traffic should be blocked by the ACL on the outside interface.
9: 09:32:24.955654 c.c.c.c.2325 > s.s.s.s.33116: S 631188379:631188379(0) win 65535 <mss 1260,nop,nop,sackOK>
10: 09:32:24.955791 s.s.s.s.33116 > c.c.c.c.2325: S 2099247554:2099247554(0) ack 631188380 win 0 <mss 1380>
11: 09:32:26.205906 c.c.c.c.2325 > s.s.s.s.33116: . ack 2099247555 win 65535
12: 09:32:31.166052 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535
13: 09:32:37.200581 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535
14: 09:32:49.170767 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535
0 packet captured
0 packet shown
Although it looks like that the server is replying to the client as indicated by line 10 on the outside interface, the inside interface doesn't show any traffic between the client and server.
Is the firewall replying in behalf of the server here? shouldn't the packet in line 9 be blocked too. Checking the firewall logs shows only that packets in lines 11,12,13 and 14 are being blocked.
Please let me know if anyone understands what's going on here and how to prevent this.
Many thanks in advance,