cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
0
Helpful
3
Replies

How Pix Handles UnCommon IP Protocol Packets

jason.drury
Level 1
Level 1

Does anyone know of a document explaining how the Pix handles, in regards to state, uncommon IP protocol packets such as ESP, AH, OSPF, GRE, etc.? I'm concred with the traffic passing through it, not destined for the pix.

I understand how TCP, UDP, and ICMP packets are handled, but I can't seem to find anything on any others.

Thanks.

1 Accepted Solution

Accepted Solutions

shannong
Level 4
Level 4

Generally speaking, the Pix doesn't statefully inspect any protocol going through it accept for TCP and UDP. The exception being a protocol that is handled by a "fixup" such as PPTP that has a fixup to allow the resulting GRE (protocol 47)traffic in.

If you want a protocol other than UDP/TCP to be allowed to go THROUGH, you'll pretty much need to create an ACL entry for it.

The other exception is traffic destined to the Pix itself as a host. ACLs have absolutely no effect on traffic destined to the Pix as a host. For example, OSPF packets destined to the Pix when it is running OSPF. Or ESP packets destined to the Pix for a VPN tunnel it terminates. Or ICMP traffic to the Pix itself (controlled using the [icmp] command). ACLs only apply to transit traffic.

View solution in original post

3 Replies 3

jsivulka
Level 5
Level 5

To see how to configure a PIX to let IPSec traffic through, please see http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml. To tunnel OSPF or other routing protocols over an IPSec tunnel, use GRE as shown in the configuration example at

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

shannong
Level 4
Level 4

Generally speaking, the Pix doesn't statefully inspect any protocol going through it accept for TCP and UDP. The exception being a protocol that is handled by a "fixup" such as PPTP that has a fixup to allow the resulting GRE (protocol 47)traffic in.

If you want a protocol other than UDP/TCP to be allowed to go THROUGH, you'll pretty much need to create an ACL entry for it.

The other exception is traffic destined to the Pix itself as a host. ACLs have absolutely no effect on traffic destined to the Pix as a host. For example, OSPF packets destined to the Pix when it is running OSPF. Or ESP packets destined to the Pix for a VPN tunnel it terminates. Or ICMP traffic to the Pix itself (controlled using the [icmp] command). ACLs only apply to transit traffic.

Thank you, this is very helpful information. I have one other question that you or someone else might be able to help me with. What is the flow of a packet through a pix in regards to xlate table, ACL's, state table? Which does it hit first/last? This is how I understand it:

From a higher to lower security level:

1. Is there an entry in the state table? Yes, go to step 3, if not, go to step 2

2. Is there an ACL blocking this traffic? No, pass it since it's from a higher security level.

3. Perform any NAT.

4. Perform fixup inspection

5. Route the packet

From a lower to higher:

1. State table entry? Yest, step 3. No, go to step 2

2. ACL allowing it? Yes, step 3. No, drop it.

3. Perform NAT

4. Perform fixup inspection

5. Route the packet

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: