Firewall bug or not ?

[<Michal.Grzybczyk () vattenfall pl>]

Hi,

 

I have problem with connections through Cisco PIX  ( ver. 6.3 )

 

During connection to Web site, suddenly after choosing next page on one form

the connection was broken.  ( WEB with  aspx and javascript )

 

Using traffic to this Web site through Checkpoint

it works. Tested from different sites where I suppose

were not PIX and it has worked !

 

 

Is it bug on PIX or Checkpoint ?

 

-------------------

In my log on PIX :

 

Feb 23 07:28:41 PIX-ADR %PIX-6-302013: Built outbound TCP connection 417324

304 for outside: OUT-WEB-SERV /80 (OUT-WEB-SERV/80) to inside: LOCAL-PC/1154

(STATIC-IP-ON-PIX/1154)

 

Feb 23 07:28:41 PIX-ADR %PIX-5-304001: LOCAL-PC  Accessed URL OUT-WEB-SERV:/images/px.gif

 

Feb 23 07:28:42 PIX-ADR %PIX-6-302014: Teardown TCP connection 417324304 fo

r outside: OUT-WEB-SERV/80 to inside: LOCAL-PC /1154 duration 0:00:01 bytes 52

93 TCP Reset-I

 

Feb 23 07:28:42 PIX-ADR  %PIX-6-106015: Deny TCP (no connection) from LOCAL-PC/1154 

to OUT-WEB-SERW /80 flags RST  on interface inside

 

Feb 23 07:28:42 PIX-ADR  %PIX-6-106015: Deny TCP (no connection) from LOCAL-PC /1154 

to OUT-WEB-SERW /80 flags RST  on interface inside

 

Feb 23 07:28:42 PIX-ADR  %PIX-6-302014: Teardown TCP connection 417324262 fo

r outside: OUT-WEB-SERV/80 to inside: LOCAL-PC /1153 duration 0:00:01 bytes 45

634 TCP FINs

 

 

 

It looks like this WEB application send packet with  RST against FIN and then

try to resend traffic to my PC but PIX doesn't allow to connect treated  RST as just reset connection.

 

 

Why for example Checkpoint allow to keep this connection ?

Any bug ? 

 

 

Thanks in advance !

 

 

Regards,

Michal Grzybczyk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/