PIX and Fragment Handling

kevin-reynolds · ‎01-17-2003

How does the PIX handle initial IP fragments? Does it automatically forward any initial IP fragment that passes the ACL's or does it hold the fragment until all fragments have arrived?

Thanks.

Kevin

tvanginneken · ‎01-18-2003

Hi,

have a look at this URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a00800b1138.html

You 'll this info over there:

Preventing Fragmented Packets

By default the PIX Firewall accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the PIX Firewall to prevent fragmented packets from traversing the firewall by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.

For example, to prevent fragmented packets on the outside and inside interfaces enter:

fragment chain 1 outside

fragment chain 1 inside

Continue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.

For more information about the fragment command, refer to the Cisco PIX Firewall Command Reference at: /en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801049b7.html#xtocid15

The PIX Firewall also includes FragGuard for additional IP fragmentation protection. For more information, refer to the Cisco PIX Firewall and VPN Configuration Guide at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/overvw.htm#1046527

Kind Regards,

Tom