Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
3
Replies

fwsm deny action

Go to solution
patrik.spiess
Level 1
Level 1

‎06-28-2010 11:11 PM - edited ‎03-11-2019 11:05 AM

If I configure a deny access-list on my fwsms, it seems that they just drop the packet without any response to the client. If a client wants to establish a denied connection no response occurs and the client falls into a timeout.

Isn't there an option to not only drop a denied connection but response to it with a tcp/rst?

This would mean, that the client gets an immediate response instead of waiting for a timeout.

Thanks for ideas

Patrik

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to patrik.spiess

‎06-29-2010 07:53 AM

Patrik,

A good option if you REALLY REALLY want to have this feature.

I don't like overusing same security levels. Problems with connection (which is inbound which is outbound?), xlates (do you create xlates or not, which way will xlate bypass still work?) other considerations... most solved by unicast RPF but as I said, I'm not a fan.

It's just my personal opinion but the benefits are too small - mostly because of being silent the FWSM start generating lots of potential traffic.

Marcin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-29-2010 04:13 AM

Patrik,

What you would need is service resetoutbound, but it's not there in FWSM.

http://conft.com/en/US/docs/security/fwsm/fwsm40/command/reference/s1.html#wp2719073

You can reset inbound...

Marcin

0 Helpful

Go to solution
patrik.spiess
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-29-2010 05:01 AM

Thank you. This option is what i looked for. Poor that there is no resetoutbound option.

But I found the following:

"If resetinbound is configured and if denied traffic flows from an interface to another interface with the same security, then a reset is sent."

My idea now is to set both security levels (on inside and on outside Interface) to 50. Then the above rule fits and a reset is sent.

This should not be a security issue, because all traffic is controlled by access-lists on each interface.

What do you think about that?

Thanks

Patrik

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to patrik.spiess

‎06-29-2010 07:53 AM

Patrik,

A good option if you REALLY REALLY want to have this feature.

I don't like overusing same security levels. Problems with connection (which is inbound which is outbound?), xlates (do you create xlates or not, which way will xlate bypass still work?) other considerations... most solved by unicast RPF but as I said, I'm not a fan.

It's just my personal opinion but the benefits are too small - mostly because of being silent the FWSM start generating lots of potential traffic.

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card