Packet passing deny rule on PIX ??

cco · ‎02-06-2008

Hi,

I'm facing kind of weird behaviour on a Cisco PIX 515E firewall that I don't understand. I hope someone can explain this:

I have a server on the inside interface of the firewall. I have set an access list on the outside interface to define rules for the incoming traffic towards the server.

The access-list allows certain ports from certain destinations, and at the end i placed a deny any rule.

Now the issue is that when I do a telnet <server_IP> <any port> from outside from any source IP address it looks as if i receive a reply from the server although telneting from a denied source ip address or detination port number.

I set a capture on the inside and outside interfaces of the firewall:

When I telnet from the external client c.c.c.c towards the internal server s.s.s.s on port 98652 (or any other port number), i get the following capture output:

Please note that this traffic should be blocked by the ACL on the outside interface.

Outside interface:

9: 09:32:24.955654 c.c.c.c.2325 > s.s.s.s.33116: S 631188379:631188379(0) win 65535 <mss 1260,nop,nop,sackOK>

10: 09:32:24.955791 s.s.s.s.33116 > c.c.c.c.2325: S 2099247554:2099247554(0) ack 631188380 win 0 <mss 1380>

11: 09:32:26.205906 c.c.c.c.2325 > s.s.s.s.33116: . ack 2099247555 win 65535

12: 09:32:31.166052 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535

13: 09:32:37.200581 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535

14: 09:32:49.170767 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535

Inside interface:

0 packet captured

0 packet shown

Although it looks like that the server is replying to the client as indicated by line 10 on the outside interface, the inside interface doesn't show any traffic between the client and server.

Is the firewall replying in behalf of the server here? shouldn't the packet in line 9 be blocked too. Checking the firewall logs shows only that packets in lines 11,12,13 and 14 are being blocked.

Please let me know if anyone understands what's going on here and how to prevent this.

Many thanks in advance,

cco · ‎02-06-2008

sorry the telnet is on port 33116 not 98652 as indicated in my previous post.

Thanks

srue · ‎02-06-2008

can you clear your ACL counters and then run your telnet test again and post the output of "show access-list"...if you do that, be sure to point out which server/IP you are seeing this behaviour with.

cco · ‎02-06-2008

Hi,

I think posting the output of the "show access-list" command is going to be somehow hard as is it includes around 700 lines. But please let me know if some more specific information may be useful for you or if you are suspecting a particular issue.

Thanks,

husycisco · ‎02-06-2008

Hi Adel

Assuming that you have NAT enabled, telnet will not work from outside. You should access to the one-to-one NATed or PATed IP at outside interface for accessing inside server.

Please atach your running config and let me suggest you the necessary changes.

Regards

cco · ‎02-06-2008

Hi,

Well yes of course. I telnet the public IP address of the server which in turn is staticaly NATed on the firewall and this works fine. I really can't post the whole configuration as it includes huge number of access lists lines (which also include private information). But in case you need specifc config information please let me know.

Thanks,

husycisco · ‎02-06-2008

I couldnt understand the nature of problem in first post. Would you explain please?