https://community.cisco.com/t5/network-security/pix-506-x-siebel-application/m-p/378691#M549902 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Have you think about using the 'established' command? It permits "return connections on ports other than those used for the originating connection based on an established connection" (from the Command Reference).</P><P></P><P>-- PIX Command Reference, version 6.3:</P><P><A class="jive-link-custom" href="http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1028903" target="_blank">http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1028903</A></P><P></P><P>Please be aware of the security risks this implies...</P><P></P><P>Example (assuming initial connection behind PIX, to Siebel server behind concentrator):</P><P></P><P>established tcp 0 siebel-port permitfrom tcp siebel-second-channel-src-port permitto tcp siebel-second-channel-dst-port</P><P></P><P>Hope that helps!</P><P></P><P>Federico Rodriguez</P><P></P></BODY></HTML> Wed, 06 Apr 2005 01:06:33 GMT fedrodri 2005-04-06T01:06:33Z https://community.cisco.com/t5/network-security/pix-506-x-siebel-application/m-p/378689#M549893 <P>Hi,</P><P>I have a IPsec tunel from a remote site (PIX 506) to a 3020 Concentrator. Users use all applications without problem except Siebel (client server application with database access). It seems that Siebel creates secondaries dynamic TCP connections and PIX is droping these packets. As these connections are not stablished before, PIX is dropping these packets. I have the message 106015 in the log file. According PIX documentation ´If the SYN flag is not set, and there is not an existing connection, the firewall discards the packet´.</P><P></P><P>Does someone have a tip to overcome this situation ?</P><P></P><P>Thanks </P><P> </P> Fri, 21 Feb 2020 08:02:48 GMT https://community.cisco.com/t5/network-security/pix-506-x-siebel-application/m-p/378689#M549893 jrmendes 2020-02-21T08:02:48Z https://community.cisco.com/t5/network-security/pix-506-x-siebel-application/m-p/378690#M549897 <HTML><HEAD></HEAD><BODY><P>The document IP Security Troubleshooting - Understanding and Using debug Commands has more information on troubleshooting IPSec.</P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/customer/707/ipsec_debug.html" target="_blank">http://www.cisco.com/warp/customer/707/ipsec_debug.html</A></P></BODY></HTML> Tue, 05 Apr 2005 17:19:54 GMT https://community.cisco.com/t5/network-security/pix-506-x-siebel-application/m-p/378690#M549897 owillins 2005-04-05T17:19:54Z https://community.cisco.com/t5/network-security/pix-506-x-siebel-application/m-p/378691#M549902 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Have you think about using the 'established' command? It permits "return connections on ports other than those used for the originating connection based on an established connection" (from the Command Reference).</P><P></P><P>-- PIX Command Reference, version 6.3:</P><P><A class="jive-link-custom" href="http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1028903" target="_blank">http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1028903</A></P><P></P><P>Please be aware of the security risks this implies...</P><P></P><P>Example (assuming initial connection behind PIX, to Siebel server behind concentrator):</P><P></P><P>established tcp 0 siebel-port permitfrom tcp siebel-second-channel-src-port permitto tcp siebel-second-channel-dst-port</P><P></P><P>Hope that helps!</P><P></P><P>Federico Rodriguez</P><P></P></BODY></HTML> Wed, 06 Apr 2005 01:06:33 GMT https://community.cisco.com/t5/network-security/pix-506-x-siebel-application/m-p/378691#M549902 fedrodri 2005-04-06T01:06:33Z