https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087042#M892781 <HTML><HEAD></HEAD><BODY><P>Please see the other replies on this, but no there is no way to do policies like this in 6.X like there is in 7.X. For us, it was not needed in 6.X, it just worked. We did require the change on the 7.X side. </P></BODY></HTML> Thu, 04 Dec 2008 17:20:44 GMT Tom.Weast 2008-12-04T17:20:44Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087037#M892776 <P>Hi all,</P><P></P><P>having trouble with the PIX firewall stripping the TCP options as traffic passes through. We have Citrix WAN scalers that use these options to accelerate TCP connections.</P><P></P><P>Can any one advise of the syntax to do this?</P><P></P><P>Does anyone know if PIX v7 command syntax differes from PIX v6 ?</P><P></P><P>I have command syntax for v7 below, but this does not seem to be accepted on our PIX 6 firewall.</P><P></P><P>pixfirewall(config)#access-list tcpmap extended permit tcp any any</P><P>pixfirewall(config)# tcp-map tcpmap</P><P>pixfirewall(config-tcp-map)# tcp-opt range 24 31 allow</P><P>pixfirewall(config-tcp-map)# exit</P><P>pixfirewall(config)# class-map tcpmap</P><P>pixfirewall(config-cmap)# match access-list tcpmap</P><P>pixfirewall(config-cmap)# exit</P><P>pixfirewall(config)# policy-map global_policy</P><P>pixfirewall(config-pmap)# class tcpmap</P><P>pixfirewall(config-pmap-c)# set connection advanced-options tcpmap</P><P></P><P>Thanks again guys!!</P> Mon, 11 Mar 2019 14:21:04 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087037#M892776 marioderosa2008 2019-03-11T14:21:04Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087038#M892777 <HTML><HEAD></HEAD><BODY><P>can i please have some advice on this...?</P><P></P><P>has no one come accross this kind of problem before?</P><P></P><P>Does any one know whether TCP policy mapping can be done on PIX v6.0?</P></BODY></HTML> Thu, 04 Dec 2008 16:41:04 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087038#M892777 marioderosa2008 2008-12-04T16:41:04Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087039#M892778 <HTML><HEAD></HEAD><BODY><P>We just ran into this exact problem today. One wanscaler was behind a PIX 6.3 firewall, and the other behind an ASA with version 7.X.</P><P></P><P>We found that the version 7 needed the above configuration, but the version 6 did not.</P><P></P><P>I could not find anywhere to set TCP Options in a PIX 6.X firewall. But as soon as we did the config on the 7.X firewall, it immediately started working end-to-end.</P></BODY></HTML> Thu, 04 Dec 2008 16:59:20 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087039#M892778 Tom.Weast 2008-12-04T16:59:20Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087040#M892779 <HTML><HEAD></HEAD><BODY><P>Mario,</P><P></P><P>There is a difference between Pix 6.x and 7.x. In Pix 6.x. all TCP options should pass unchanged. But, in Pix 7.x, you need the above commands to make Citrix work. </P><P></P><P>Regards,</P><P>Arul</P><P></P><P>*Pls rate if it helps*</P></BODY></HTML> Thu, 04 Dec 2008 17:10:32 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087040#M892779 ajagadee 2008-12-04T17:10:32Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087041#M892780 <HTML><HEAD></HEAD><BODY><P>thanks for the reply.</P><P></P><P>It has helped me rule out that the PIX firewall is not cauring the issue...</P><P></P><P>thanks again!</P></BODY></HTML> Thu, 04 Dec 2008 17:20:11 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087041#M892780 marioderosa2008 2008-12-04T17:20:11Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087042#M892781 <HTML><HEAD></HEAD><BODY><P>Please see the other replies on this, but no there is no way to do policies like this in 6.X like there is in 7.X. For us, it was not needed in 6.X, it just worked. We did require the change on the 7.X side. </P></BODY></HTML> Thu, 04 Dec 2008 17:20:44 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087042#M892781 Tom.Weast 2008-12-04T17:20:44Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087043#M892782 <HTML><HEAD></HEAD><BODY><P>Mario,</P><P></P><P>Your welcome. If the above posts resolves your issue, could you please update the forum that it resolved the issue and also rate if possible. </P><P></P><P>Thanks,</P><P>Arul</P></BODY></HTML> Thu, 04 Dec 2008 17:25:09 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087043#M892782 ajagadee 2008-12-04T17:25:09Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087044#M892783 <HTML><HEAD></HEAD><BODY><P>Mario,</P><P></P><P>There is a difference between Pix 6.x and 7.x. In Pix 6.x. all TCP options should pass unchanged. But, in Pix 7.x, you need the above commands to make Citrix work. </P><P></P><P>Regards,</P><P>Arul</P><P></P><P>*Pls rate if it helps*</P></BODY></HTML> Thu, 04 Dec 2008 18:56:11 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087044#M892783 ajagadee 2008-12-04T18:56:11Z https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087045#M892784 <HTML><HEAD></HEAD><BODY><P>I run into the same problem. Can u confirm 100% that pix 506 with 6.3(5) doesnt strip tcp options?</P></BODY></HTML> Mon, 31 Aug 2009 09:48:45 GMT https://community.cisco.com/t5/network-security/allowing-tcp-options-24-31-on-pix-v6-x/m-p/1087045#M892784 mkohlschmidt 2009-08-31T09:48:45Z