02-03-2004 10:46 AM - edited 02-20-2020 11:13 PM
Does anyone know of a document explaining how the Pix handles, in regards to state, uncommon IP protocol packets such as ESP, AH, OSPF, GRE, etc.? I'm concred with the traffic passing through it, not destined for the pix.
I understand how TCP, UDP, and ICMP packets are handled, but I can't seem to find anything on any others.
Thanks.
Solved! Go to Solution.
02-09-2004 06:39 PM
Generally speaking, the Pix doesn't statefully inspect any protocol going through it accept for TCP and UDP. The exception being a protocol that is handled by a "fixup" such as PPTP that has a fixup to allow the resulting GRE (protocol 47)traffic in.
If you want a protocol other than UDP/TCP to be allowed to go THROUGH, you'll pretty much need to create an ACL entry for it.
The other exception is traffic destined to the Pix itself as a host. ACLs have absolutely no effect on traffic destined to the Pix as a host. For example, OSPF packets destined to the Pix when it is running OSPF. Or ESP packets destined to the Pix for a VPN tunnel it terminates. Or ICMP traffic to the Pix itself (controlled using the [icmp] command). ACLs only apply to transit traffic.
02-09-2004 01:01 PM
To see how to configure a PIX to let IPSec traffic through, please see http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml. To tunnel OSPF or other routing protocols over an IPSec tunnel, use GRE as shown in the configuration example at
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
02-09-2004 06:39 PM
Generally speaking, the Pix doesn't statefully inspect any protocol going through it accept for TCP and UDP. The exception being a protocol that is handled by a "fixup" such as PPTP that has a fixup to allow the resulting GRE (protocol 47)traffic in.
If you want a protocol other than UDP/TCP to be allowed to go THROUGH, you'll pretty much need to create an ACL entry for it.
The other exception is traffic destined to the Pix itself as a host. ACLs have absolutely no effect on traffic destined to the Pix as a host. For example, OSPF packets destined to the Pix when it is running OSPF. Or ESP packets destined to the Pix for a VPN tunnel it terminates. Or ICMP traffic to the Pix itself (controlled using the [icmp] command). ACLs only apply to transit traffic.
02-10-2004 06:52 AM
Thank you, this is very helpful information. I have one other question that you or someone else might be able to help me with. What is the flow of a packet through a pix in regards to xlate table, ACL's, state table? Which does it hit first/last? This is how I understand it:
From a higher to lower security level:
1. Is there an entry in the state table? Yes, go to step 3, if not, go to step 2
2. Is there an ACL blocking this traffic? No, pass it since it's from a higher security level.
3. Perform any NAT.
4. Perform fixup inspection
5. Route the packet
From a lower to higher:
1. State table entry? Yest, step 3. No, go to step 2
2. ACL allowing it? Yes, step 3. No, drop it.
3. Perform NAT
4. Perform fixup inspection
5. Route the packet
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: