05-14-2009 02:57 PM - edited 03-11-2019 08:32 AM
Hi to all,
I have this scenario, I have a pix firewall and in one DMZ i have my servers, i have allowed only the https access to one of them from the outside interface but if i make a telnet to the server for any port the firewall gives the impression that it is open.
For example if from an MS-DOS command line i try a telnet to the server to the port 1200 wich is not allowed by the firewall and is also closed in the server the MS-DOS window gets "black" wich means that the port is open but as soon as i press a key the MS-DOS window gets closed so it means that the connection was not stablished wich is correct but it gave the impresion that it was stablished.
Do you have any ideas about what could be causing this?
Thanks in advance.
Solved! Go to Solution.
05-15-2009 01:54 AM
This is normal - the pix will just "drop" the packets silently, without sending a "reset" to the remote end indicating there was any kind of connection - basically the firewall is giving the impression of a blackhole.
If you change the TCP settings, to send a reset back - you are announcing there is something there, not allways the best approach.
05-15-2009 01:54 AM
This is normal - the pix will just "drop" the packets silently, without sending a "reset" to the remote end indicating there was any kind of connection - basically the firewall is giving the impression of a blackhole.
If you change the TCP settings, to send a reset back - you are announcing there is something there, not allways the best approach.
05-15-2009 07:45 AM
Hi Andrew,
Thank you very much for clearing this!...just for general knowledge how can I change that TCP settings??
Thanks in advance.
Best Regards,
05-15-2009 07:49 AM
Sure no - OK the config you need is:-
service resetinbound
" Causes the security appliance to send TCP resets for all TCP sessions that arrive at the interface, are attempting to transit the security appliance, and are denied by the security appliance based on access lists. When this option is not selected, the security appliance silently discards the packets of all such sessions"
service resetoutside
" Causes the security appliance to send TCP resets for all TCP sessions that arrive at the least secure interface, terminate at the least secure interface, and are denied by the security appliance based on access lists. When this option is not selected, the security appliance silently discards the packets of all such sessions"
HTH>
05-15-2009 08:02 AM
Thank's alot Andrew!
05-15-2009 08:05 AM
np - glad to help.
06-01-2009 11:59 AM
Hi Andrew,
Do you know a cisco document that confirm this??
The security department is asking me for an evidence from cisco.
Thanks in advance for your help.
Best Regards,
06-01-2009 01:33 PM
Alfonso,
What device (PIX/ASA) do you have and what version of software are you running (6.x,7.x or 8.x) ?
06-01-2009 02:13 PM
Hi Andrew,
PIX 7.2
Thanks
06-02-2009 07:30 AM
Alfonso,
See the below URL for the version of PIX IOS you are using:-
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1290652
HTH>
06-02-2009 07:03 PM
Thank you very much again Andrew!
Best regards,
06-03-2009 12:38 AM
np - glad to help.
08-28-2009 10:17 PM
Hi Andrew,
Just today i had the opportunity to try the commands service resetinbound and service resetoutside on my pix but there is still the situation, i mean i'm still getting the "black" screen on my MS-DOS window wich gives the impresion that the port that i'm telnet to is open when it is not.
Do you have any idea what else could be causing this??
Thanks in advance
08-28-2009 10:54 PM
08-29-2009 02:04 PM
Hi Andrew,
I read the document again and it seems that the commands that i have to configure are:
service resetoutside
service resetinbound interface dmz
service resetinbound interface outside
But i'm still getting the same situation, do you think this may be a bug issue or anything else?
The traffic is comming from the outside interface to a DMZ.
Thanks in advance for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide