Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
0
Helpful
2
Replies

PIX 515 TCP connections halted for HTTP based traffic

adallica
Level 1
Level 1

‎08-07-2003 05:58 PM - edited ‎02-20-2020 10:55 PM

I have a PIX 515 with three interfaces. Outside, Inside, and DMZ. I have had no problems accessing or browsing the internet from inside to the outside. I have recently setup a DMZ to host a mail server, and communication is working fine inside and outside to the DMZ. The problem came when I added a MS portal server on the inside network and an HTTP server in the DMZ. They will communicate perfectly for an Hour or so and then fail with a transmission error almost as thought the PIX denied there requests. I have added the following fixup protocol commands thinking it might be having an intermittent problem on this other port, but had no luck. I am running version 6.2(2). I couldn't find any know bugs or field bulletins relating to this problem and am totally stumped. Anyone have any IDEAS? Oh yeah, I temporarily moved the two servers in the DMZ to bypass the firewall and they work without a problem. Move them back and it works for awhile and then suddenly stops

fixup protocol http 9080

fixup protocol http 80

0 Helpful
2 Replies 2

yusuff
Cisco Employee
Cisco Employee

‎08-10-2003 04:59 PM

2 things that you can try;

- remvoe the fixup and see if that helps;

no fixup protocol http 9080

no fixup protocol http 80

- PIX by default randomizes TCP sequence numbers. Maybe your application doesn't like that or it is expecting something... you can disable randomization as follows;

see the following link for using the "norandomseq" option on static statements.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#1026694

static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns] [netmask

mask][max_conns [emb_limit [norandomseq]]]

Here is the definition of what it does: "Do not randomize the TCP/IP packet's sequence number. Only

use this option if another inline firewall is also randomizing sequence numbers and the result is

scrambling the data. Use of this option opens a security hole in the PIX Firewall."

The same command can also be used on NAT commands:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129

nat [(if_name)] nat_id local_ip [mask [dns] [outside] [max_conns [emb_limit [norandomseq]]]]

Definition: "Disables TCP Initial Sequence Number (ISN) randomization protection. Only use this

option if another in-line firewall is also randomizing sequence numbers and the result is scrambling

the data. Without this protection, inside hosts with weak self-ISN protection become more vulnerable

to TCP connection hijacking."

Hope that helps.

Regards

Yusuf

0 Helpful

aun.raza
Level 1
Level 1
In response to yusuff

‎08-23-2003 05:55 AM

Yusuf:

I am having a similar problem. My situation is such that I have two machines behind the PIX on the inside interface. One of them is a RedHat 9.0 box (dual-homed) and the other is an MS Proxy 2.0 box (dual-homed). The issue is that I can not seem to get to HTTP sites from the Redhat machine, however, I can get to FTP sites, and DNS works as well.

The MS Proxy works just fine - http, ftp, dns, etc.

I have the following on the PIX:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 norandomseq

I see translations for both machines when I do a sh xlate, but the Redhat box still has problems.

Any suggestions!? I'm kinda stumped!

Regards,

Aun.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card