Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
1
Replies

PIX 7.0(2) and "ip source-route"

w-pera
Level 1
Level 1

‎09-14-2005 09:21 AM - edited ‎02-21-2020 12:23 AM

Hi,

I've a client using SAP OSS. With 6.3(4) is ok, but with 7.0(2) doesn't work.

I see this message: %PIX-6-106012: Deny IP from XX to XX, IP options: "Router Alert".

SAPRouter use source routing.

Cisco IOS command "ip source-route" allows handler the functionality. PIX 7?

Regards,

Waldemar Pera

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎09-14-2005 05:16 PM

I'm surprised this worked in 6.3, the PIX has never in its history allowed packets with IP Options to pass, it has always logged and dropped them.

The particular options you're seeing is I presume 0x14, defined here:

ftp://ftp.rfc-editor.org/in-notes/rfc2113.txt

There is no way to pass this packet through the PIX I'm afraid. If it did indeed work in 6.3 then it may not actually be this packet that is causing the problem, since as I mentioned 6.3 would have also dropped this packet. v7.0 does have some much stricter and more defined TCP features where packets will be dropped if they don't conform to certain standards, see the "TCp Normalization" documentation here:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ids.htm#wp1042116

Are you sure there's no other syslog's being generated just after or before this that might give us further clues as to what's being denied? Failing that you will probably need to get Sniffer traces from both sides of the PIX and open a TAC case to get it properly looked at.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card