PIX dropping packets with source port 80

[LazloCarreidas () netscape net]

My fellow experts,

We have a cluster of PIX 525. Since the upgrade of the PIX OS to 6.3(3), we get lots of 106023 messages, such as
%PIX-4-106023: Deny tcp src DMZ:aaa.bbb.ccc.ddd (asite.adomain.atld) /80 dst inside:OurProxy/37568 by access-group 
"acl_DMZ"

Conceptually, this is correct, since we certainly don't have any ACL allowing an external host to open a port on our 
internal proxy.

However, the behaviour here seems to be that connections opened by the proxy on the Web site are dropped when coming 
back (note source port 80) by that ACL (more exactly, by the default rule that drops everything on this access-group). 
More or less, it appears as "TCP out of sync" messages in CheckPoint jargon.

I have looked over the outbound connections, and seen that they are indeed opened by the PIX from the proxy to the 
destination Web site.

For the persons who uses the proxy, there is no issue...

However, I would like to get rid of these unuseful messages that drown the useful ones. And this has appeared only 
since we upgraded to 6.3(3).

As one of you experimented that already ?

Thank you for your precious help

  Lazlò







__________________________________________________________________
Introducing the New Netscape Internet Service. 
Only $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need. 

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards