I have a PIX-515E, Software Version 7.2(1) with NAT disabled, in router mode, and almost all inspection off. REcently i noticed that PIX randomizing TCP sequence in ICMP Frag embedded message, that is last 4 bytes of the packet. Looks like windows hosts are okay with that, BUT i have some unix boxes and looks like they use TCP Seq header part for PathMTU discovery process. Is there some way to disable this randomization?
Here is tcpdump of packet before and after passing PIX:
this is packet from router with lower mtu just before PIX
Re: PIX randomizing TCP sequence in ICMP Frag packets
The PIX altering the initial sequence number of the TCP SYN segment sent by the server is the normal (default) behavior for packets going from a higher security interface to a lower security interface (like in your case.) When going from a lower security interface to a higher security interface, the PIX does not randomize the initial sequence number. You are correct that Linux/Unix will drop ICMP messages that have TCP sequence numbers that fall outside the expected range, i.e. packets that have been sent and not yet acknowledged (in-flight packets).
As a resolution the PIX can be told to not to randomization of the TCP sequence number by adding the "norandomseq" keyword to the "nat" statements.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...