I have a frame relay network that comes into the hub router into corporate HQ. We have a large SAP implementation that is hosted at a 3rd party location. So, traffic flows from the Frame, into the inside interface of the Corporate PIX 515, out the dmz interface of the Corporate Pix, into a router on the same subnet as the dmz, and then across a frame relay link to the SAP host. I am getting several hundred syslog messages per hour with the following error, %PIX-2-106012: Deny IP from IP_addr to IP_addr, IP options hex. The hex options is 0x14. The source IP is from several different hosts somewhere on the frame and the destination is to one of our SAP servers. The docs say that the SAP client application is altering the IP packet and the PIX is seeing it as some kind of security breach and discarding the packet. Our SAP has slowdowns constantly and I think this is part of the cause of slowdowns.
It is the SAP client program that causes this alert. There are dozens of systems on several differnet subnets causing this problem. So, it seems like this program is altering the packet and the PIX thinks it is a hacked packet, right?
The pix does not permit any packets which have IP options utilized, regardless of the reason. For instance, you may have a host on the inside of your pix which is legitimately sending source-route packets, which will utilize the IP Options field. However, source-routing in itself is inherently a security vunerability. Consequently, the pix won't permit this traffic through (even though it's not a hacked packet).
In this case, there does not appear to be any legitimate reason for the packets that your pix appears to be seeing. If you have already sniffed the packet all the way back to the source, and have determined that the client is actually initiating this traffic, then I would contact the application vendor for further information about why it is utilizing these options in a way that doesn't appear to conform to conventional use of the ip options field (it may just be a bug that other devices ignore, but which the pix doesn't).
You seems to know the PIX firewall quite well. I was wondering if you know some documents that describe the PIX behavior in detail when dealing with non-standard or invalid packets. I am looking for the more in-depth information that I cannot find on the regular website.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...