01-07-2003 02:47 PM - edited 03-09-2019 01:35 AM
One of the ISP's I connect to for POP3 mail sends an ACK request from a server with a different IP address than the POP3 server's each time I log on to check email. This causes timeout problems because my PIX doesn't respond. The PIX log entries read, "Deny TCP (no connection) from x.x.x.x/80 to x.x.x.x/1982 flags ACK on interface outside".
I've figured out that the "service resetoutside" command eliminates the timeout problem, but it also makes my system non-stealthy when port scanned. Is there a way I can establish a rule that will cause the PIX to respond to ACK requests from only certain IP addresses?
Thanks for your help,
Steve W.
01-07-2003 04:04 PM
No, you can't do this on the PIX. The "service resetoutside" will make it respond to all onnection requests, no way to minimise it.
I would be talking to your ISP and ask why on earth they're doing that, cause it seems to be violating protocol specifications and any firewall worth it's weight would drop that packet.
01-08-2003 06:13 AM
I would have to agree with the above. Your scenario seems to be very questionable. I am wondering just how they are responding back to your initial syn with a ack from another machine, that is NOT the machine you sent the initial request too???.....Interesting.
Also, have you gone to:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/syslog/pixemapa.htm
I think I remember seeing something on this. Insert your error code and go from there.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: