Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
5
Helpful
2
Replies

Inside interface sending tcp (RST)'s for denied traffic

jeremy.buck
Level 1
Level 1

‎11-12-2003 12:52 PM - edited ‎03-09-2019 05:30 AM

Hello All,

Here is my question, according to Cisco all attempted TCP connections that are denied by a ruleset will be dropped (There will be no reply to the initial SYN). I currently have a 515 running version 6.2 configured to deny 5190 traffic on the inside interface. Running a port scan on this port yields TCP RST from the Pix (The Pix is of course emulating the distant end). This proves the documentation to be wrong. Further research led me to believe there may be a global statement I was missing to configure the pix to drop packets but I have found only this...

The service command:

<http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9eb.html#1025922>

I have cleared any & all service commands from the configuration (There were never any) and I am still getting the same results and this is undesirable.

Labels:
0 Helpful
2 Replies 2

scoclayton
Level 7
Level 7

‎11-12-2003 01:56 PM

Hi,

Can you point out the documentation that claims what you are stating? By default, the PIX will silently drop all inbound packets (packets coming in on a low security interface destined for a higher security interface) that are blocked by an ACL. However, the PIX will send a RST ACK packet back to the sender for all outbound packets (packets from a higher security interface to a lower security interface) that are blocked by an ACL. You can configure the PIX to respond to inbound packets with a RST by configuring 'service resetinbound' as you have seen. Currently, this is no knob in the PIX that will allow you to silently drop outbound packets denied by an ACL on the PIX. It was designed this way to be more considerate to people on the more secure interface. In the end, TCP stacks take a bit to react to no response.

If this is something you require, I would suggest you speak with your local account team concerning a feature request to add a knob such as above. Hope this helps.

Scott

jeremy.buck
Level 1
Level 1
In response to scoclayton

‎11-12-2003 02:29 PM

Scott,

Appreciate the confirmation! Looked through the docs I have and they all say inbound, guess I was being hopefull :). Thanks.

Jeremy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents