Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
5
Helpful
4
Replies

PIX and IP directed broadcast

Go to solution
s-daly
Level 1
Level 1

‎11-05-2004 08:09 AM - edited ‎02-20-2020 11:43 PM

Is it possible to allow (configure) forwarding of ip directed broadcasts from a specified host(s) as a source on a PIX firewall running 6.3?

I've seen this done on IOS, but cannot find a reference for it for the PIX.

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7
In response to s-daly

‎11-08-2004 07:52 PM

Following is probably more information than you ever wanted about the subject. Sorry, but I got on a roll...

By default, for inbound traffic, the PIX will deny translations for destined IP address that is identified as network address or broadcast address. The PIX will utilize the global IP and mask from configured "static" to differ regular IP from network/broadcast IP. If the global IP is a valid network address with a matching network mask then the PIX will disallow the xlate for network/broadcast IPs with inbound packet. For example,

static (inside,outside) 100.1.1.128 10.1.1.128 netmask 255.255.255.128

Global address 100.1.1.128 will be treated as network address and 100.1.1.255 as broadcast address. Without existing xlate, PIX will deny inbound packet destined for 100.1.1.128 or 100.1.1.255, and following syslog will be logged.

305006: Dst IP is nework/broadcast IP, translation creation failed for icmp src 3rd:100.2.1.99 dst inside:100.2.1.128 (type 8, code 0)

To work-around this in cases where the IP is really a host IP, a separate static with host mask needs to be configured and in front of the subnet static (first match rule for static). The following static will force the PIX to treat 100.1.1.128 as a host address.

static (inside,outside) 100.1.1.128 10.1.1.128 netmask 255.255.255.255

static (inside,outside) 100.1.1.128 10.1.1.128 netmask 255.255.255.128

Note, the xlate may be created by traffic started from the inside host with the questioned IP address.

Mildly somewhat clear?

Scott

View solution in original post

4 Replies 4

Go to solution
hoangbp
Level 1
Level 1

‎11-06-2004 06:08 AM

Hi s-daly:

IP directed-broadcast is disabled by default on the routers interfaces due to its potential danger for Denial of Service attacks (Smurf). The PIXs would also drop directed broadcast traffic sent to the interfaces as well (to my best knowledge) and that is a good thing.

Is there any particular reason why you need to allow directed broadcasts on the PIXes?

Thanks,

Binh

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to hoangbp

‎11-07-2004 02:16 PM

The position of routers is quite different from PIX in terms of directed broadcast. A router can determine if a packet is a directed broadcast but only if the packet destination is a connected network. I do not see how a PIX can determine whether a packet is a directed broadcast or not. For example how would a PIX treat a packet whose destination was 192.168.1.127? (How would you decide whether this was a directed broadcast or not?)

Sean - I am having some difficulty in understanding the original post. Could you explain a little more clearly what you are trying to accomplish?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
s-daly
Level 1
Level 1
In response to hoangbp

‎11-08-2004 09:08 AM

I realize that IP directed broadcast is disabled on the PIX for security reasons. I need to allow forwarding ip directed broadcast from a single host residing on the interface interface to a server dmz. An application I'm using has to do a host discovery on the dmz and tries to use the broadcast address of the network address of the dmz (10.3.1.0/24 The app is trying to connect on 10.3.1.255) to connect to all servers in the dmz. I need to allow this to happen, but is currently being denied by the PIX. Is there any way I can override this?

Also, I fully understand the security implications of doing this. Unfortunately, I don't have many options.

Thanks.

0 Helpful

Go to solution
scoclayton
Level 7
Level 7
In response to s-daly

‎11-08-2004 07:52 PM

Following is probably more information than you ever wanted about the subject. Sorry, but I got on a roll...

By default, for inbound traffic, the PIX will deny translations for destined IP address that is identified as network address or broadcast address. The PIX will utilize the global IP and mask from configured "static" to differ regular IP from network/broadcast IP. If the global IP is a valid network address with a matching network mask then the PIX will disallow the xlate for network/broadcast IPs with inbound packet. For example,

static (inside,outside) 100.1.1.128 10.1.1.128 netmask 255.255.255.128

Global address 100.1.1.128 will be treated as network address and 100.1.1.255 as broadcast address. Without existing xlate, PIX will deny inbound packet destined for 100.1.1.128 or 100.1.1.255, and following syslog will be logged.

305006: Dst IP is nework/broadcast IP, translation creation failed for icmp src 3rd:100.2.1.99 dst inside:100.2.1.128 (type 8, code 0)

To work-around this in cases where the IP is really a host IP, a separate static with host mask needs to be configured and in front of the subnet static (first match rule for static). The following static will force the PIX to treat 100.1.1.128 as a host address.

static (inside,outside) 100.1.1.128 10.1.1.128 netmask 255.255.255.255

static (inside,outside) 100.1.1.128 10.1.1.128 netmask 255.255.255.128

Note, the xlate may be created by traffic started from the inside host with the questioned IP address.

Mildly somewhat clear?

Scott

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card