Pix gives the impression that a port is open when it is not

Answered Question
May 14th, 2009
User Badges:

Hi to all,


I have this scenario, I have a pix firewall and in one DMZ i have my servers, i have allowed only the https access to one of them from the outside interface but if i make a telnet to the server for any port the firewall gives the impression that it is open.


For example if from an MS-DOS command line i try a telnet to the server to the port 1200 wich is not allowed by the firewall and is also closed in the server the MS-DOS window gets "black" wich means that the port is open but as soon as i press a key the MS-DOS window gets closed so it means that the connection was not stablished wich is correct but it gave the impresion that it was stablished.


Do you have any ideas about what could be causing this?


Thanks in advance.

This is normal - the pix will just "drop" the packets silently, without sending a "reset" to the remote end indicating there was any kind of connection - basically the firewall is giving the impression of a blackhole.


If you change the TCP settings, to send a reset back - you are announcing there is something there, not allways the best approach.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer

This is normal - the pix will just "drop" the packets silently, without sending a "reset" to the remote end indicating there was any kind of connection - basically the firewall is giving the impression of a blackhole.


If you change the TCP settings, to send a reset back - you are announcing there is something there, not allways the best approach.

alfonso.cornejo Fri, 05/15/2009 - 07:45
User Badges:

Hi Andrew,


Thank you very much for clearing this!...just for general knowledge how can I change that TCP settings??


Thanks in advance.


Best Regards,

Sure no - OK the config you need is:-


service resetinbound


" Causes the security appliance to send TCP resets for all TCP sessions that arrive at the interface, are attempting to transit the security appliance, and are denied by the security appliance based on access lists. When this option is not selected, the security appliance silently discards the packets of all such sessions"



service resetoutside


" Causes the security appliance to send TCP resets for all TCP sessions that arrive at the least secure interface, terminate at the least secure interface, and are denied by the security appliance based on access lists. When this option is not selected, the security appliance silently discards the packets of all such sessions"


HTH>

alfonso.cornejo Mon, 06/01/2009 - 11:59
User Badges:

Hi Andrew,


Do you know a cisco document that confirm this??


The security department is asking me for an evidence from cisco.


Thanks in advance for your help.


Best Regards,

alfonso.cornejo Fri, 08/28/2009 - 22:17
User Badges:

Hi Andrew,


Just today i had the opportunity to try the commands service resetinbound and service resetoutside on my pix but there is still the situation, i mean i'm still getting the "black" screen on my MS-DOS window wich gives the impresion that the port that i'm telnet to is open when it is not.


Do you have any idea what else could be causing this??


Thanks in advance

alfonso.cornejo Sat, 08/29/2009 - 14:04
User Badges:

Hi Andrew,


I read the document again and it seems that the commands that i have to configure are:


service resetoutside

service resetinbound interface dmz

service resetinbound interface outside


But i'm still getting the same situation, do you think this may be a bug issue or anything else?


The traffic is comming from the outside interface to a DMZ.


Thanks in advance for your help.

alfonso.cornejo Sun, 08/30/2009 - 09:25
User Badges:

The situation is this: i have two servers published to the internet using my pix (with a static nat) and with an access-list i have allowed access to them only to the http and smtp port but when you make a telnet lets say to the port 1024 wich is not allowed on your MS-DOS window you get a "black screen" that gives you the impresion that the port is open but it is not, actually i see the denied packets on the monitoring of the pix.


I know that the pix is blocking that traffic, wich is correct, but that impresion of the port open is causing me problems with the information security department, because they say that the "see" that i have all the ports open but they are not.


That's why i put those commands, to send the tcp reset and get the normal message when you make a telnet to an ip address to a port that is blocked.

jan.nielsen Sun, 08/30/2009 - 14:37
User Badges:
  • Gold, 750 points or more

I'm sorry, but your security department are way off, getting a black screen in dos does not mean anything, use a port scanner, or some other tool like nmap to test with. Also, if you care about security you don't want to send tcp resets when you are blocking something, this will tell the scanner that the port is actively being blocked ie. that there is a firewall or router acl.

alfonso.cornejo Mon, 08/31/2009 - 06:16
User Badges:

Hi, i just did a test with nmap and the report of the scan says that "all" the ports are open (from 1 to 65535) but in the monitoring of my pix i see all the "denies" of the huge amount of ports that are blocked.


what do you think could be causing this condition?


Thanks in advance.

alfonso.cornejo Tue, 09/01/2009 - 07:21
User Badges:

Hi,


I know this sounds like not possible, but i did the same port scanning with nmap to two different hosts in different networks and my host showed all the ports open but i saw all the traffic blocked on the monitoring of the pix, and in the other host that is on a different network it showed only 3 ports open and those ports are the ones that are allowed.


That's why i'm thinking that this maybe could be a Pix version problem, my pix has 7.2(2) version.


Any other ideas???


Thanks in advance.

Hold on - you state "nmap to two different hosts in different networks and my host showed all the ports open" and "and in the other host that is on a different network it showed only 3 ports open and those ports are the ones that are allowed"


This indicates to me, that you first host is allowed ALL access, and something is not correct.


I do not see this as a version issue - more with your topology and configuration.


I have 6 devices running 7.2(2) and have performed nmap scans from outside and various other network positions - and the testing outcome was as expected.

alfonso.cornejo Tue, 09/01/2009 - 07:37
User Badges:

Maybe i wrote it in a cofusing way, what i wanted to say is that i performed the nmap test to the host in my network with the result of all ports open (but i saw the traffic being denied to not allowed ports by the pix) and the other host was a mail server that in on a completely different network infrastructure.


My topology is simple, just and internet link on the outside interface and my servers on a DMZ, a static nat from DMZ to outside and an access-list allowing just the ports that i want to.


what confuses me is the fact that i see the traffic being denied by the pix, but the port scanning is showing me all the ports open.


I'm doing a regular scan with Nmap 5.00

Actions

This Discussion