Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
1
Replies

PIX - match-any?

admin_2
Level 3
Level 3

‎05-04-2004 02:44 AM - edited ‎02-20-2020 11:22 PM

Hi,

I'm running a PIX 515E, 6.1. I would like to run some port scans FROM a host on the inside against my server on the Internet. Unfortunately when the inside host starts a stealth scan - sending ACK packets instead of SYNs - the PIX blocks the outbound packets. Log entries look like this,

%PIX-6-106015: Deny TCP (no connection) from 192.168.200.101/20 to www.xxx.yyy.zzz/77 flags ACK on interface inside

I read that Cisco IOS supports a kind of access-list that filters on TCP flags, e.g. it is possible to allow packets with the ACK bit set even though there is no corresponding entry in the connection table. I think the command is 'match-all' or 'match-any'. However, it seems there is no equivalent command for the PIX. Hopefully I'm wrong...

Can anyone tell me if there is a command that will enable me to allow outbound packets for which there is no entry in the connection table?

0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎05-05-2004 10:07 AM

I am not aware of any such command on the pix. If there is a router that can act as an IPSec peer that is where the server resides, then you can run the scan over an IPsec tunnel between your workstation and that gateway. Just configure the pix to allow the IPSec traffic between the hosts. You can accomplish this using GRE/PPTP as well.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card