How Do I Send an ACK?

Unanswered Question
Jan 7th, 2003
User Badges:

One of the ISP's I connect to for POP3 mail sends an ACK request from a server with a different IP address than the POP3 server's each time I log on to check email. This causes timeout problems because my PIX doesn't respond. The PIX log entries read, "Deny TCP (no connection) from x.x.x.x/80 to x.x.x.x/1982 flags ACK on interface outside".


I've figured out that the "service resetoutside" command eliminates the timeout problem, but it also makes my system non-stealthy when port scanned. Is there a way I can establish a rule that will cause the PIX to respond to ACK requests from only certain IP addresses?


Thanks for your help,


Steve W.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
gfullage Tue, 01/07/2003 - 16:04
User Badges:
  • Cisco Employee,

No, you can't do this on the PIX. The "service resetoutside" will make it respond to all onnection requests, no way to minimise it.


I would be talking to your ISP and ask why on earth they're doing that, cause it seems to be violating protocol specifications and any firewall worth it's weight would drop that packet.

b-pelphrey Wed, 01/08/2003 - 06:13
User Badges:

I would have to agree with the above. Your scenario seems to be very questionable. I am wondering just how they are responding back to your initial syn with a ack from another machine, that is NOT the machine you sent the initial request too???.....Interesting.


Also, have you gone to:


http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/syslog/pixemapa.htm


I think I remember seeing something on this. Insert your error code and go from there.


Hope this helps.

Actions

This Discussion