Does PIX alter TCP sequence numbers?

Unanswered Question
Aug 14th, 2003

Hello all,

I am trying to sniff a session between a server on an "inside" segement and a server on a "DMZ" segment. The server on the inside is being NAT translated to the same address on the DMZ like so:

static (inside,DMZ) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 0 0

The problem I am having is comparing the sniffer capture on the inside server to the one on the DMZ server because I think the TCP sequence numbers are being altered. The TCP port numbers appear to be maintained.

Does the PIX alter the TCP sequence numbers? If so does it do so in a predicatble manner?

Also can someone point me to documentation on this behavior?

Thank You

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
l.mourits Thu, 08/14/2003 - 05:35

Hi,

You are right, the PIX does alter TCP sequence numbers. This is done in a random, not predictable manner by ASA. Some good documentation can be found at the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008d313.html

Here's a part of this documentation:

Adaptive Security Algorithm (ASA):

- Implements stateful connection control through the firewall.

- Allows one way (inside to outside) connections without an explicit configuration for each internal system and application.

- Always in operation monitoring return packets to ensure they are valid. Actively randomizes TCP sequence numbers to minimize the risk of TCP sequence number attack.

Hope this helps,

Leo

ggombas Thu, 08/14/2003 - 09:13

Thanks for the reply Leo. What I don't understand is if the PIX is always changing the sequence numbers how the end stations are keeping track of them. Is it because the PIX only randomizes the sequence numbers of new sessions and keeps the same sequence throughout the session?

bdube Thu, 08/14/2003 - 14:02

You're right. The inside client doesn't see any difference in TCP sequence number, the PIX presents another sequence number to the DMZ server or outside. The PIX does a sequence number translation. There is a randomizing at the beginning of new session, and this one is kept for the rest of the session.

Ben

r-lemaster Fri, 08/15/2003 - 07:12

You can turn off the default random sequencing of TCP packet numbers for debugging by using the norandomsequence keyword..

nat [(if_name)] nat_id local_ip [netmask [max_connections [embryonic_limit]]] [norandomsequence]

HTH

Actions

Login or Register to take actions

This Discussion

Posted August 14, 2003 at 4:04 AM
Stats:
Replies:4 Overall Rating:
Views:314 Votes:0
Shares:0
Tags: No tags.