The root cause of this problem is that the spoofed segment creates an embryonic connection and sets up the TCP sliding window. A valid segment from a real host using the same connection as the spoofed packet sends a SYN over the same connection. Therefore, the sequence number of the valid segment is out-of-window and rejected by the PIX TCP sequence number check. Any subsequent retransmissions of the valid segment are also out-of-window and are rejected by the TCP sequence number check.
Other spoofed TCP SYN segments that create embryonic connections can also cause this behavior. Legitimate TCP connections are blocked until the embryonic connection times out.
As a workaround, issue either the clear xlate or clear local-host command in order to allow the PIX Firewall to pass connections again.
Alternatively, download and upgrade to PIX version 6.3.5.