Firewall Wizards mailing list archives
Re: Strange Pix behavior.
From: Victor Williams <vbwilliams () neb rr com>
Date: Fri, 10 Jun 2005 10:28:46 -0500
Three words; not enough info.I only have three questions. What PIX OS are you using? Why didn't you post your cleansed config? Why didn't you call Cisco directly (assuming you have any type of support contract) instead of calling the reseller? This is something the support contract gives you...free help until the problem is solved.
Of all the manufacturers that I've dealt with out there, Cisco is by far the most responsive, and anyone you talk to past the helpdesk knows backwards and forwards what they're talking about.
George J. Jahchan, Eng. wrote:
We are using a pair of failover Pix 515s, and are consistently seeing denied return traffic that theoretically should have been allowed. Three zones are defined: LAN, DMZ and WAN and the policy is default deny. For the allowed outbound protocols like http, we are seeing (on weekdays) anywhere between 25,000 and 45,000 denials originating from web server addresses on the Internet port 80 to the NAT'ed IP address of LAN users. This is the return traffic in response to requests that originated from the LAN. Sample log entry follows: ... Deny tcp src outside:<www-server-IP>/80 dst LAN:<NAT-IP>/31997 by access-group "WAN" The corresponding rule in the LAN access-group is: access-list LAN permit tcp host X.X.X.X gt 1023 any eq www Not all traffic is blocked, only part of it, seemingly at random, otherwise no one would have been able to surf the web, which is not the case. We are also seeing denials generated by the return traffic of other allowed outbound protocols such as pop3, imap4, smtp and dns (udp); in numbers that seem to be proportional to the overall number of requests for each protocol. On week-ends when the traffic is very low, we are still seeing denials, in numbers proportional to overall requests. We have monitored CPU and memory utilization on the Pix, they are low (CPU < 10% and memory < 25%). The Cisco reseller has not come through with a credible explanation for this behavior or made suggestions on course of action for diagnosing the problem. Can anyone on this list help? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Strange Pix behavior. George J. Jahchan, Eng. (Jun 10)
- Re: Strange Pix behavior. Victor Williams (Jun 10)
- RE: Strange Pix behavior. Paul Melson (Jun 15)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- RE: Strange Pix behavior. Paul Melson (Jun 17)
- Re: Strange Pix behavior. Martin Mačok (Jun 18)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- <Possible follow-ups>
- Re: Strange Pix behavior. LazloCarreidas (Jun 13)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- RE: Strange Pix behavior. Paul Melson (Jun 17)