06-28-2010 11:11 PM - edited 03-11-2019 11:05 AM
If I configure a deny access-list on my fwsms, it seems that they just drop the packet without any response to the client. If a client wants to establish a denied connection no response occurs and the client falls into a timeout.
Isn't there an option to not only drop a denied connection but response to it with a tcp/rst?
This would mean, that the client gets an immediate response instead of waiting for a timeout.
Thanks for ideas
Patrik
Solved! Go to Solution.
06-29-2010 07:53 AM
Patrik,
A good option if you REALLY REALLY want to have this feature.
I don't like overusing same security levels. Problems with connection (which is inbound which is outbound?), xlates (do you create xlates or not, which way will xlate bypass still work?) other considerations... most solved by unicast RPF but as I said, I'm not a fan.
It's just my personal opinion but the benefits are too small - mostly because of being silent the FWSM start generating lots of potential traffic.
Marcin
06-29-2010 04:13 AM
Patrik,
What you would need is service resetoutbound, but it's not there in FWSM.
http://conft.com/en/US/docs/security/fwsm/fwsm40/command/reference/s1.html#wp2719073
You can reset inbound...
Marcin
06-29-2010 05:01 AM
Thank you. This option is what i looked for. Poor that there is no resetoutbound option.
But I found the following:
"If resetinbound is configured and if denied traffic flows from an interface to another interface with the same security, then a reset is sent."
My idea now is to set both security levels (on inside and on outside Interface) to 50. Then the above rule fits and a reset is sent.
This should not be a security issue, because all traffic is controlled by access-lists on each interface.
What do you think about that?
Thanks
Patrik
06-29-2010 07:53 AM
Patrik,
A good option if you REALLY REALLY want to have this feature.
I don't like overusing same security levels. Problems with connection (which is inbound which is outbound?), xlates (do you create xlates or not, which way will xlate bypass still work?) other considerations... most solved by unicast RPF but as I said, I'm not a fan.
It's just my personal opinion but the benefits are too small - mostly because of being silent the FWSM start generating lots of potential traffic.
Marcin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: