One of the ISP's I connect to for POP3 mail sends an ACK request from a server with a different IP address than the POP3 server's each time I log on to check email. This causes timeout problems because my PIX doesn't respond. The PIX log entries read, "Deny TCP (no connection) from x.x.x.x/80 to x.x.x.x/1982 flags ACK on interface outside".
I've figured out that the "service resetoutside" command eliminates the timeout problem, but it also makes my system non-stealthy when port scanned. Is there a way I can establish a rule that will cause the PIX to respond to ACK requests from only certain IP addresses?
I would have to agree with the above. Your scenario seems to be very questionable. I am wondering just how they are responding back to your initial syn with a ack from another machine, that is NOT the machine you sent the initial request too???.....Interesting.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...