Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco firewall pix 525 version 6.3

Hi everyone

I am doing the audit for a telecommunication company. and during the audit of the external network segment we faced this issue:

The company is using Cisco firewall pix 525 version 6.3.(4) with Six interface cards. During our audit we observed that the configuration of ?TCP, UDP and embryonic connection? is set to ?Unlimited?. In addition ?Reverse Path Forward Verification? is disabled.

We understand that it is not recommended to set ?TCP, UDP and embryonic connection? to ?Unlimited? as these setting could expose the firewall to a variety of ?packet flooding? attacks making it more liable to crash and rendering it less effective in protecting the network. We have recommended that to our customer.

So I would like to know the following

1. Is there any standard ?limit? that should be applied for configuring the ?TCP, UDC and embryonic connection??

2. What factors are to be considered in identifying the appropriate limit in configuration of TCP, UDC and embryonic connection??

3. Is there any implication (positive or negative) that should be consider

a. In setting the ?TCP, UDC and embryonic connection? configuration

b.Enabling of ?Reverse Path Forward Verification?

waiting for your comments


Re: Cisco firewall pix 525 version 6.3

Hi ..

In regards to the TCP, UDP and embryonic connections. I would say it depends of your environment which can't be applied to all scenarios. You really need to customize these values.

In regards to the reverse forwarding check .. please see below .. take special attention to the recomendation part.

" Error Message %PIX-1-106021: Deny protocol reverse path check from source_address to

dest_address on interface interface_name

Explanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.

Recommended Action This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the firewall checks packets arriving from the outside.

The firewall looks up a route based on the source_address. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.

If there is a route, the firewall checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The firewall does not support asymmetric routing.

If configured on an internal interface, the firewall checks static route command statements or RIP and if the source_address is not found, then an internal user is spoofing their address.

An attack is in progress. With this feature enabled, no user action is required. The firewall repels the attack. "

NOTE Before using this command, add static route command statements for every

network that can be accessed on the interfaces you want to protect. Enable this command

only if routing is fully specified. Otherwise, the Cisco PIX Firewall stops traffic on the

interface you specify if routing is not in place.

I hope it helps .. please rate it if it does !!!

New Member

Re: Cisco firewall pix 525 version 6.3


Is it possible to mention what should be taken in consideration when customising the TCP, UDP and embryonic connections.


Re: Cisco firewall pix 525 version 6.3

Hi ... you need to have an idea of how many concurrent TCP and UDP connections are expected to be INITIATED from a higher security interface ( i.e inside) to a lower ( i.e outside ) at any given time.

In regards to the embryonic limit .. this is normally used to protect devices that are being accessed from the Internet ( check the static command ) it depends of whether the host is fast enought to respond to simultaneous connection request. If it is then a higher limit is advisable ... if it is not then a lower limit is advisable ... the TCP intercept feature of the firewall will be used for the 3 handshake on behalf of the host once the emb limit is reached. Once again you need to have an idea of what is an acceptable limit on your environment.

max_conns Specifies the maximum number of simultaneous TCP and UDP connections for

the entire subnet. The default is 0, which means unlimited connections. (Idle

connections are closed after the idle timeout specified by the timeout conn


Note This option does not apply to outside NAT. The firewall only tracks

connections from a higher security interface to a lower security interface.

If you set max_conns as well as the outside option, the max_conns option

is ignored.