08-02-2006 05:23 AM - edited 02-21-2020 02:33 PM
hi everybody. I have some problem with pix firewall with soft 7.0(4). some client behind pix cannot connect his central office with his vpn client not only cisco vpn client some other vpn client too and exchange server cannot receive big files
in log pix write this error :
event 419001 pix 7.0(4) MSS exceeded
I fond how to resolve it in cisco site like this:
Explanation This message is generated when the length of the TCP packet exceeds the MSS
advertised in the 3-way handshake.
src_ifc?Input interface name
src_IP?The source IP address of the packet
src_port?The source port of the packet
dest_ifc?The output interface name
dest_IP?The destination IP address of the packet
dest_port?The destination port of the packet
Recommended Action If there is a need to allow packets that exceed the MSS, create a TCP map using
the exceed-mss command, as in the following example:
access-list http-list permit tcp any host server_ip eq 80 class-map http match
access-list http-list tcp-map tmap
exceed-mss allow
policy-map global_policy
class http
set connection advanced-options tmap service-policy global_policy global
but it can't resolve my problem with exchenge but it urgently need to resolve it because exchange not work good if change pix with linux firewall exchange work good How can resolve this problem ?
and how can do that all vpn client behind pix can connect it vpn server which changes do in pix firewall
my pix config:
spfg# sh run
: Saved
:
PIX Version 7.0(4)
!
hostname spfg
domain-name simple.com
enable password xxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd lpW.MGeEHg0ISQZq encrypted
ftp mode passive
access-list outside extended permit tcp any host x.x.x.x eq smtp
access-list outside extended permit tcp any host x.x.x.x eq pop3
access-list outside extended permit tcp any host x.x.x.x eq www
access-list outside extended permit tcp any host x.x.x.x eq ssh
access-list outside extended deny ip any any log
!
tcp-map tmap
exceed-mss allow
no ttl-evasion-protection
!
pager lines 24
logging enable
logging trap informational
logging asdm warnings
logging mail informational
mtu outside 1500
mtu inside 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) 85.132.22.42 192.168.10.1 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
!
class-map smtp
match access-list outside
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_smtp
class smtp
set connection advanced-options tmap
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect esmtp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
spfg#
08-02-2006 06:19 AM
The solution that I use to allow any type of client vpn connection to connect from behind my firewall is this:
access-list vpn_client permit esp any any
access-list vpn_client permit gre any any
access-list vpn_client permit udp any any eq 500
global (outside) 50 x.x.x.100-x.x.x.104 netmask 255.255.255.x
nat (inside) 50 access-list vpn_client
The access list should catch nearly any vpn traffic and translate it to an address in the global pool instead of getting PATed like other traffic. This works well for me.
As for your exchange issues, I really don't have a clear understanding of your problem yet. Can you provide further details?
HTH pls rate!
08-02-2006 12:09 PM
about exchange when try to receive mail 50 kb pix pass it and exchange can receive this mail but when he try to receive mail 500 kb 700 kb 1MB pix don't pass it Exchange says that timeout with connection mail server but in log of pix I see the next message:
event 419001 pix 7.0(4) MSS exceeded
And pix drop this packet.
I found in cisco site how to resolve it:
Explanation This message is generated when the length of the TCP packet exceeds the MSS
advertised in the 3-way handshake.
src_ifc?Input interface name
src_IP?The source IP address of the packet
src_port?The source port of the packet
dest_ifc?The output interface name
dest_IP?The destination IP address of the packet
dest_port?The destination port of the packet
Recommended Action If there is a need to allow packets that exceed the MSS, create a TCP map using
the exceed-mss command, as in the following example:
access-list http-list permit tcp any host server_ip eq 80 class-map http match
access-list http-list tcp-map tmap
exceed-mss allow
policy-map global_policy
class http
set connection advanced-options
tmap service-policy
global_policy global
I did all action which wrote here but problem not solve and pix continue write in log this message:
event 419001 pix 7.0(4) MSS exceeded
and drop packets
How can I resolve this problem ?
thanks before
08-05-2006 07:37 AM
Hi,
in the Cisco exaple the policy was applied on the global policy
conf t
policy-map global_policy
class smtp
set connection advanced-options tmap
08-06-2006 04:32 AM
Hi .. In your case you need something like this:
access-list smtp-list permit tcp any host your_mail_server_ip eq smtp
class-map smtp
match access-list smtp-list
tcp-map tmap
exceed-mss allow
policy-map global_policy
class smtp
set connection advanced-options tmap
I hope it helps .. please rate if it it does !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide