Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Pix behavior.

From: Victor Williams <vbwilliams () neb rr com>
Date: Fri, 10 Jun 2005 10:28:46 -0500
Three words; not enough info.
I only have three questions. What PIX OS are you using? Why didn't you post your cleansed config? Why didn't you call Cisco directly (assuming you have any type of support contract) instead of calling the reseller? This is something the support contract gives you...free help until the problem is solved.
Of all the manufacturers that I've dealt with out there, Cisco is by far the most responsive, and anyone you talk to past the helpdesk knows backwards and forwards what they're talking about. 

George J. Jahchan, Eng. wrote:


We are using a pair of failover Pix 515s, and are consistently seeing denied
return traffic that theoretically should have been allowed.

Three zones are defined: LAN, DMZ and WAN and the policy is default deny. For
the allowed outbound protocols like http, we are seeing (on weekdays) anywhere
between 25,000 and 45,000 denials originating from web server addresses on the
Internet port 80 to the NAT'ed IP address of LAN users. This is the return
traffic in response to requests that originated from the LAN.

Sample log entry follows:
... Deny tcp src outside:<www-server-IP>/80 dst LAN:<NAT-IP>/31997 by
access-group "WAN"

The corresponding rule in the LAN access-group is:
access-list LAN permit tcp host X.X.X.X gt 1023 any eq www

Not all traffic is blocked, only part of it, seemingly at random, otherwise no
one would have been able to surf the web, which is not the case.

We are also seeing denials generated by the return traffic of other allowed
outbound protocols such as pop3, imap4, smtp and dns (udp); in numbers that seem
to be proportional to the overall number of requests for each protocol.

On week-ends when the traffic is very low, we are still seeing denials, in
numbers proportional to overall requests.

We have monitored CPU and memory utilization on the Pix, they are low (CPU < 10%
and memory < 25%).

The Cisco reseller has not come through with a credible explanation for this
behavior or made suggestions on course of action for diagnosing the problem.

Can anyone on this list help?


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: