Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 7.0(2) and "ip source-route"

Hi,

I've a client using SAP OSS. With 6.3(4) is ok, but with 7.0(2) doesn't work.

I see this message: %PIX-6-106012: Deny IP from XX to XX, IP options: "Router Alert".

SAPRouter use source routing.

Cisco IOS command "ip source-route" allows handler the functionality. PIX 7?

Regards,

Waldemar Pera

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: PIX 7.0(2) and "ip source-route"

I'm surprised this worked in 6.3, the PIX has never in its history allowed packets with IP Options to pass, it has always logged and dropped them.

The particular options you're seeing is I presume 0x14, defined here:

ftp://ftp.rfc-editor.org/in-notes/rfc2113.txt

There is no way to pass this packet through the PIX I'm afraid. If it did indeed work in 6.3 then it may not actually be this packet that is causing the problem, since as I mentioned 6.3 would have also dropped this packet. v7.0 does have some much stricter and more defined TCP features where packets will be dropped if they don't conform to certain standards, see the "TCp Normalization" documentation here:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ids.htm#wp1042116

Are you sure there's no other syslog's being generated just after or before this that might give us further clues as to what's being denied? Failing that you will probably need to get Sniffer traces from both sides of the PIX and open a TAC case to get it properly looked at.

195
Views
0
Helpful
1
Replies
This widget could not be displayed.