×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Inside interface sending tcp (RST)'s for denied traffic

Unanswered Question
Nov 12th, 2003
User Badges:

Hello All,


Here is my question, according to Cisco all attempted TCP connections that are denied by a ruleset will be dropped (There will be no reply to the initial SYN). I currently have a 515 running version 6.2 configured to deny 5190 traffic on the inside interface. Running a port scan on this port yields TCP RST from the Pix (The Pix is of course emulating the distant end). This proves the documentation to be wrong. Further research led me to believe there may be a global statement I was missing to configure the pix to drop packets but I have found only this...


The service command:


<http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9eb.html#1025922>


I have cleared any & all service commands from the configuration (There were never any) and I am still getting the same results and this is undesirable.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scoclayton Wed, 11/12/2003 - 13:56
User Badges:
  • Gold, 750 points or more

Hi,


Can you point out the documentation that claims what you are stating? By default, the PIX will silently drop all inbound packets (packets coming in on a low security interface destined for a higher security interface) that are blocked by an ACL. However, the PIX will send a RST ACK packet back to the sender for all outbound packets (packets from a higher security interface to a lower security interface) that are blocked by an ACL. You can configure the PIX to respond to inbound packets with a RST by configuring 'service resetinbound' as you have seen. Currently, this is no knob in the PIX that will allow you to silently drop outbound packets denied by an ACL on the PIX. It was designed this way to be more considerate to people on the more secure interface. In the end, TCP stacks take a bit to react to no response.


If this is something you require, I would suggest you speak with your local account team concerning a feature request to add a knob such as above. Hope this helps.


Scott


jeremy.buck Wed, 11/12/2003 - 14:29
User Badges:

Scott,


Appreciate the confirmation! Looked through the docs I have and they all say inbound, guess I was being hopefull :). Thanks.


Jeremy

Actions

This Discussion