https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305046#M561328 <P>Hi,</P><P>Reading the specs, the PIX should silently drop denied inbound TCP packets. We have two PIX 515E 6.3(3) with 4 "outside" interfaces in use (failover configuration). Only the interface with the lowest security id drops inbound TCP connections, the other 3 interfaces send a TCP RST back. Both services resetinbound and resetoutside are deactivated as it is per default. For my understanding, all interfaces should drop denied inbound TCP connections. What I'm doing wrong?</P><P>Thank's for any help.</P><P></P><P>Daniel </P> Fri, 21 Feb 2020 07:36:19 GMT druch 2020-02-21T07:36:19Z https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305046#M561328 <P>Hi,</P><P>Reading the specs, the PIX should silently drop denied inbound TCP packets. We have two PIX 515E 6.3(3) with 4 "outside" interfaces in use (failover configuration). Only the interface with the lowest security id drops inbound TCP connections, the other 3 interfaces send a TCP RST back. Both services resetinbound and resetoutside are deactivated as it is per default. For my understanding, all interfaces should drop denied inbound TCP connections. What I'm doing wrong?</P><P>Thank's for any help.</P><P></P><P>Daniel </P> Fri, 21 Feb 2020 07:36:19 GMT https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305046#M561328 druch 2020-02-21T07:36:19Z https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305047#M561330 <HTML><HEAD></HEAD><BODY><P>This should not be the case. Are you certain the PIX is sending back the RST packets and not the target host? How are determining this is happening? You are correct in your understanding, the PIX should appear to be a balck hole on your network. Firewalls are less useful if you know they are there...hence the reason we drop the packets rather than responding and letting the potential attacker know that the hosts exists.</P><P></P><P>Scott</P></BODY></HTML> Tue, 31 Aug 2004 15:10:11 GMT https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305047#M561330 scoclayton 2004-08-31T15:10:11Z https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305048#M561331 <HTML><HEAD></HEAD><BODY><P>Hi Scott,</P><P>We've tested the interfaces with a port scanner (nmap) and noticed this behaviour. As I wrote before, only the interface with the lowest security id didn't sent back an RST on blocked ports.</P><P>Is it possible that the failover configuration has somthing to do with that?</P><P></P><P>Daniel </P></BODY></HTML> Tue, 31 Aug 2004 18:56:38 GMT https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305048#M561331 druch 2004-08-31T18:56:38Z https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305049#M561332 <HTML><HEAD></HEAD><BODY><P>Nope, the failover configuration should have nothing to do with this.</P><P></P><P>We have tested this behavior many times and I am confident that the PIX does not behave as indicated above. At this point, I would suggest you go ahead and open a TAC case so that an engineer can take a look at your test setup and find the issue.</P><P></P><P>Sorry for the problems.</P><P></P><P>Scott</P></BODY></HTML> Tue, 31 Aug 2004 19:20:43 GMT https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305049#M561332 scoclayton 2004-08-31T19:20:43Z https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305050#M561336 <HTML><HEAD></HEAD><BODY><P>Hi Scott,</P><P>Thank's for your input. So, I'll open a TAC-Case.</P><P></P><P>Daniel</P></BODY></HTML> Wed, 01 Sep 2004 05:15:17 GMT https://community.cisco.com/t5/network-security/pix-6-3-3-droping-denied-tcp-connections/m-p/305050#M561336 druch 2004-09-01T05:15:17Z