cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
299
Views
4
Helpful
2
Replies

How Do I Send an ACK?

stwilliams
Level 1
Level 1

One of the ISP's I connect to for POP3 mail sends an ACK request from a server with a different IP address than the POP3 server's each time I log on to check email. This causes timeout problems because my PIX doesn't respond. The PIX log entries read, "Deny TCP (no connection) from x.x.x.x/80 to x.x.x.x/1982 flags ACK on interface outside".

I've figured out that the "service resetoutside" command eliminates the timeout problem, but it also makes my system non-stealthy when port scanned. Is there a way I can establish a rule that will cause the PIX to respond to ACK requests from only certain IP addresses?

Thanks for your help,

Steve W.

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

No, you can't do this on the PIX. The "service resetoutside" will make it respond to all onnection requests, no way to minimise it.

I would be talking to your ISP and ask why on earth they're doing that, cause it seems to be violating protocol specifications and any firewall worth it's weight would drop that packet.

I would have to agree with the above. Your scenario seems to be very questionable. I am wondering just how they are responding back to your initial syn with a ack from another machine, that is NOT the machine you sent the initial request too???.....Interesting.

Also, have you gone to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/syslog/pixemapa.htm

I think I remember seeing something on this. Insert your error code and go from there.

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: