Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using "fragment" command for selective protocols


We are using the "fragment chain 1 outside" command to avoid fragmented packets in our network.

On the same Firewall, we have remote VPN users connecting using PPTP\GRE,the users can connect fine.

However when then try to mount a windows\share the Windows OS generates fragmented packets during windows authentication(Kerberos), these GRE packets gets dropped at the PIX firewall and the Share is never mounted.

We then changed the command to "fragment chain 2 outside" to allow one fragmented packet and everything started working.

However this also means that any non-vpn user (External threats) will also be able to send 1 fragmented packet, which appears to be a security hole for us. We don't control the perimeter router, so it is not possible to deny fragmentation at perimeter router.

Is there a way to use the "fragment" command, selectively i.e. based on protocl, ip address etc ?

Is there a way to deny fragmented IP packets using ACL in PIX (similar to IOS) ? This will still let the VPN fragmented packets through as we are using the sysopt-permit pptp command.




Re: Using "fragment" command for selective protocols

Allowing fragmented packets could make you vulenerable to attacks such as the teardrop attack. However, that is exactly where the fragguard feature help you. My understanding is that even though the fragguard command is not supported on 6.3, the checks performed by this feature are still done and that should provide you with the required protection.

CreatePlease login to create content