Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

cco
New Member

Packet passing deny rule on PIX ??

Hi,

I'm facing kind of weird behaviour on a Cisco PIX 515E firewall that I don't understand. I hope someone can explain this:

I have a server on the inside interface of the firewall. I have set an access list on the outside interface to define rules for the incoming traffic towards the server.

The access-list allows certain ports from certain destinations, and at the end i placed a deny any rule.

Now the issue is that when I do a telnet <server_IP> <any port> from outside from any source IP address it looks as if i receive a reply from the server although telneting from a denied source ip address or detination port number.

I set a capture on the inside and outside interfaces of the firewall:

When I telnet from the external client c.c.c.c towards the internal server s.s.s.s on port 98652 (or any other port number), i get the following capture output:

Please note that this traffic should be blocked by the ACL on the outside interface.

Outside interface:

9: 09:32:24.955654 c.c.c.c.2325 > s.s.s.s.33116: S 631188379:631188379(0) win 65535 <mss 1260,nop,nop,sackOK>

10: 09:32:24.955791 s.s.s.s.33116 > c.c.c.c.2325: S 2099247554:2099247554(0) ack 631188380 win 0 <mss 1380>

11: 09:32:26.205906 c.c.c.c.2325 > s.s.s.s.33116: . ack 2099247555 win 65535

12: 09:32:31.166052 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535

13: 09:32:37.200581 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535

14: 09:32:49.170767 c.c.c.c.2325 > s.s.s.s.33116: P 631188380:631188381(1) ack 2099247555 win 65535

Inside interface:

0 packet captured

0 packet shown

Although it looks like that the server is replying to the client as indicated by line 10 on the outside interface, the inside interface doesn't show any traffic between the client and server.

Is the firewall replying in behalf of the server here? shouldn't the packet in line 9 be blocked too. Checking the firewall logs shows only that packets in lines 11,12,13 and 14 are being blocked.

Please let me know if anyone understands what's going on here and how to prevent this.

Many thanks in advance,

6 REPLIES
cco
New Member

Re: Packet passing deny rule on PIX ??

sorry the telnet is on port 33116 not 98652 as indicated in my previous post.

Thanks

Gold

Re: Packet passing deny rule on PIX ??

can you clear your ACL counters and then run your telnet test again and post the output of "show access-list"...if you do that, be sure to point out which server/IP you are seeing this behaviour with.

cco
New Member

Re: Packet passing deny rule on PIX ??

Hi,

I think posting the output of the "show access-list" command is going to be somehow hard as is it includes around 700 lines. But please let me know if some more specific information may be useful for you or if you are suspecting a particular issue.

Thanks,

Re: Packet passing deny rule on PIX ??

Hi Adel

Assuming that you have NAT enabled, telnet will not work from outside. You should access to the one-to-one NATed or PATed IP at outside interface for accessing inside server.

Please atach your running config and let me suggest you the necessary changes.

Regards

cco
New Member

Re: Packet passing deny rule on PIX ??

Hi,

Well yes of course. I telnet the public IP address of the server which in turn is staticaly NATed on the firewall and this works fine. I really can't post the whole configuration as it includes huge number of access lists lines (which also include private information). But in case you need specifc config information please let me know.

Thanks,

Re: Packet passing deny rule on PIX ??

I couldnt understand the nature of problem in first post. Would you explain please?

116
Views
0
Helpful
6
Replies