Re: PIX 6.3(3): droping denied TCP connections

druch · ‎08-31-2004

Hi,

Reading the specs, the PIX should silently drop denied inbound TCP packets. We have two PIX 515E 6.3(3) with 4 "outside" interfaces in use (failover configuration). Only the interface with the lowest security id drops inbound TCP connections, the other 3 interfaces send a TCP RST back. Both services resetinbound and resetoutside are deactivated as it is per default. For my understanding, all interfaces should drop denied inbound TCP connections. What I'm doing wrong?

Thank's for any help.

Daniel

scoclayton · ‎08-31-2004

This should not be the case. Are you certain the PIX is sending back the RST packets and not the target host? How are determining this is happening? You are correct in your understanding, the PIX should appear to be a balck hole on your network. Firewalls are less useful if you know they are there...hence the reason we drop the packets rather than responding and letting the potential attacker know that the hosts exists.

Scott

druch · ‎08-31-2004

Hi Scott,

We've tested the interfaces with a port scanner (nmap) and noticed this behaviour. As I wrote before, only the interface with the lowest security id didn't sent back an RST on blocked ports.

Is it possible that the failover configuration has somthing to do with that?

Daniel

scoclayton · ‎08-31-2004

Nope, the failover configuration should have nothing to do with this.

We have tested this behavior many times and I am confident that the PIX does not behave as indicated above. At this point, I would suggest you go ahead and open a TAC case so that an engineer can take a look at your test setup and find the issue.

Sorry for the problems.

Scott

druch · ‎08-31-2004

Hi Scott,

Thank's for your input. So, I'll open a TAC-Case.

Daniel