Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix Dropping Packet Behaviour

Hi all,

This may seem like a strange question but i just wanted to clarify the Pix behavour for blocking traffic.

If you apply your access list to allow port 80/443 and then deny everything else (i know there is an explicit deny but i still like to add it for logging), the firewall does just drop all packets unless on these two ports ?

Reason i am asking is because i am doing a port scan on the firewall to test the access-list policy and using nmap "nmap -sS -T -p0 host" is coming up with a strange result.

"(The 1227 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE

80/tcp open http

135/tcp Filtered msrpc

179/tcp Filtered bgp

443/tcp Open https"

There are two odd results here, first the one stating the 1227 ports are in state: Closed. According the insecure.org, this happens when the ports are accessible but no application is responding. If the Pix firewall just dropped these packets, it should be showing up as Filtered.

Is there something extra that needs to be done to drop packets or is it done by default and this is just a strange thing with NMAP ?

Thanks in advanced.

Wayne

2 REPLIES
New Member

Re: Pix Dropping Packet Behaviour

Hi Wayne,

Your PIX config is right, it is really straight forward. Personally, I had some bad experience with NMAP, and I would reckon that the dodgy result has something to do with the NMAP engine.

If you doubt that applications are opened but not configured on hosts, you can verfiy that by running one of these services on your internal host(s), lets say FTP and then telnet to that host using port 21 and you will see that it will not respond, and even you can track this session using syslog messages and the "match counter" in your access list.

Hope this would give some relief ;-)

Salem.

New Member

Re: Pix Dropping Packet Behaviour

Hi,

Found out what the problem was, i have had a reply in a security forum that said NMAP displays Closed if a RST is sent.

The Pix firewall will send a RST if the following command is enabled "service resetinbound", if this is missing then it will just drop the packets.

cheers

Wayne

114
Views
0
Helpful
2
Replies
CreatePlease to create content