Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
2
Replies

service resetinbound not working for PAT??

dbadic
Level 1
Level 1

‎11-12-2003 01:37 PM - edited ‎03-09-2019 05:30 AM

I'm seeing some strange behavior on PIX when PAT is enabled and I have to use service

resetinbound in order to speed up ident process.

global (outside) 1 209.83.175.141-209.83.175.142

global (outside) 1 209.83.175.143

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

For first two clients on inside interface that use NAT service resetinbound works fine but

for all clients forced to share PAT address 209.83.175.143

resetinbound is not helping. Sessions to the servers on outside interface that require ident

takes forever seriously degrading user experience. I can capture ident packets hitting

outside interface on PIX but

all those packets are silently discarded by PIX.

Is this standard behavior for all PIX OS or is my

Cisco PIX Firewall Version 6.1(4)

part of problem.

Or is there anything else that needs to be considered here?

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

scoclayton
Level 7
Level 7

‎11-12-2003 03:04 PM

Hi,

No, this is not standard behavior for the PIX. We modified the PIX to apply the 'service resetinbound' command for the PAT address around the 6.0 timeframe. So, if 'service resetinbound' is configured, and the remote server is sending an IDENT packet to the PIX PAT address, and we are not responding with a RST, then something is broken. If you can capture a sniffer trace showing this, please open a TAC case so that we can take a look. Sorry for the non-helpful answer but this is probably a bit more that we want to tackle on NetPro.

Thanks,

Scott

0 Helpful

dbadic
Level 1
Level 1
In response to scoclayton

‎11-13-2003 07:55 AM

Scott,

I can't open TAC case since I don't have smart maintenance. I bought new PIX trough

reseller couple days ago and unfortunately ended up with 6.1. I don't know if I can go to cisco with this before figuring out if is config or PIX OS problem.

Anyway,

here is more details:

POP3, SMTP server is 209.83.184.33

PAT address used by PIX: 209.83.175.143

When I try to connect server 209.83.184.33 there are 3 ident packets hitting PIX

outside interface (see result of debug packet outside src 209.83.184.33 proto tcp dport 113 both )

Outside sniffer capture also 3 packet from 209.83.184.33 --> 209.83.175.143

and confirms that PIX is not sending anything back on ident port.

pix is only logging following :

110001: No route to 209.83.175.143 from 209.83.184.33

In case of NAT everthing looks O.K (PIX sends RST packet back to 209.83.184.33

and sessions are fast)

here is ident packet captured on pix and sniffer:

--------- PACKET ---------

-- IP --

209.83.184.33 ==> 209.83.175.143

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0xb457 flags = 0x40 frag off=0x0

ttl = 0x3f proto=0x6 chksum = 0x7d0c

-- TCP --

source port = 0xa36c dest port = 0x71syn

seq = 0x8768649a

ack = 0x0

hlen = 0xa window = 0x16d0

checksum = 0xb151 urg = 0x0

tcp options: 0x2 0x4 0x5 0xb4

0x4 0x2 0x8 0xa 0x11 0x59 0xd4 0x53

0x0 0x0 0x0 0x0 0x1 0x3 0x3 0x0

--------- END OF PACKET ---------

Thanks in advance,

Damir

0 Helpful
Customers Also Viewed These Support Documents