Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How Pix Handles UnCommon IP Protocol Packets

Does anyone know of a document explaining how the Pix handles, in regards to state, uncommon IP protocol packets such as ESP, AH, OSPF, GRE, etc.? I'm concred with the traffic passing through it, not destined for the pix.

I understand how TCP, UDP, and ICMP packets are handled, but I can't seem to find anything on any others.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: How Pix Handles UnCommon IP Protocol Packets

Generally speaking, the Pix doesn't statefully inspect any protocol going through it accept for TCP and UDP. The exception being a protocol that is handled by a "fixup" such as PPTP that has a fixup to allow the resulting GRE (protocol 47)traffic in.

If you want a protocol other than UDP/TCP to be allowed to go THROUGH, you'll pretty much need to create an ACL entry for it.

The other exception is traffic destined to the Pix itself as a host. ACLs have absolutely no effect on traffic destined to the Pix as a host. For example, OSPF packets destined to the Pix when it is running OSPF. Or ESP packets destined to the Pix for a VPN tunnel it terminates. Or ICMP traffic to the Pix itself (controlled using the [icmp] command). ACLs only apply to transit traffic.

3 REPLIES
Bronze

Re: How Pix Handles UnCommon IP Protocol Packets

To see how to configure a PIX to let IPSec traffic through, please see http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml. To tunnel OSPF or other routing protocols over an IPSec tunnel, use GRE as shown in the configuration example at

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

Silver

Re: How Pix Handles UnCommon IP Protocol Packets

Generally speaking, the Pix doesn't statefully inspect any protocol going through it accept for TCP and UDP. The exception being a protocol that is handled by a "fixup" such as PPTP that has a fixup to allow the resulting GRE (protocol 47)traffic in.

If you want a protocol other than UDP/TCP to be allowed to go THROUGH, you'll pretty much need to create an ACL entry for it.

The other exception is traffic destined to the Pix itself as a host. ACLs have absolutely no effect on traffic destined to the Pix as a host. For example, OSPF packets destined to the Pix when it is running OSPF. Or ESP packets destined to the Pix for a VPN tunnel it terminates. Or ICMP traffic to the Pix itself (controlled using the [icmp] command). ACLs only apply to transit traffic.

New Member

Re: How Pix Handles UnCommon IP Protocol Packets

Thank you, this is very helpful information. I have one other question that you or someone else might be able to help me with. What is the flow of a packet through a pix in regards to xlate table, ACL's, state table? Which does it hit first/last? This is how I understand it:

From a higher to lower security level:

1. Is there an entry in the state table? Yes, go to step 3, if not, go to step 2

2. Is there an ACL blocking this traffic? No, pass it since it's from a higher security level.

3. Perform any NAT.

4. Perform fixup inspection

5. Route the packet

From a lower to higher:

1. State table entry? Yest, step 3. No, go to step 2

2. ACL allowing it? Yes, step 3. No, drop it.

3. Perform NAT

4. Perform fixup inspection

5. Route the packet

Thanks.

112
Views
0
Helpful
3
Replies