We are using the "fragment chain 1 outside" command to avoid fragmented packets in our network.
On the same Firewall, we have remote VPN users connecting using PPTP\GRE,the users can connect fine.
However when then try to mount a windows\share the Windows OS generates fragmented packets during windows authentication(Kerberos), these GRE packets gets dropped at the PIX firewall and the Share is never mounted.
We then changed the command to "fragment chain 2 outside" to allow one fragmented packet and everything started working.
However this also means that any non-vpn user (External threats) will also be able to send 1 fragmented packet, which appears to be a security hole for us. We don't control the perimeter router, so it is not possible to deny fragmentation at perimeter router.
Is there a way to use the "fragment" command, selectively i.e. based on protocl, ip address etc ?
Is there a way to deny fragmented IP packets using ACL in PIX (similar to IOS) ? This will still let the VPN fragmented packets through as we are using the sysopt-permit pptp command.
Re: Using "fragment" command for selective protocols
Allowing fragmented packets could make you vulenerable to attacks such as the teardrop attack. However, that is exactly where the fragguard feature help you. My understanding is that even though the fragguard command is not supported on 6.3, the checks performed by this feature are still done and that should provide you with the required protection.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :