[fw-wiz] PIX dropping packets with source port 80

• Previous message: Paul D. Robertson: "Re: [fw-wiz] AIX LPAR security"
• Next in thread: Martin Maèok: "Re: [fw-wiz] PIX dropping packets with source port 80"
• Reply: Martin Maèok: "Re: [fw-wiz] PIX dropping packets with source port 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Tue, 25 May 2004 12:44:14 -0400

My fellow experts,

We have a cluster of PIX 525. Since the upgrade of the PIX OS to 6.3(3), we get lots of 106023 messages, such as
%PIX-4-106023: Deny tcp src DMZ:aaa.bbb.ccc.ddd (asite.adomain.atld) /80 dst inside:OurProxy/37568 by access-group "acl_DMZ"

Conceptually, this is correct, since we certainly don't have any ACL allowing an external host to open a port on our internal proxy.

However, the behaviour here seems to be that connections opened by the proxy on the Web site are dropped when coming back (note source port 80) by that ACL (more exactly, by the default rule that drops everything on this access-group). More or less, it appears as "TCP out of sync" messages in CheckPoint jargon.

I have looked over the outbound connections, and seen that they are indeed opened by the PIX from the proxy to the destination Web site.

For the persons who uses the proxy, there is no issue...

However, I would like to get rid of these unuseful messages that drown the useful ones. And this has appeared only since we upgraded to 6.3(3).

As one of you experimented that already ?

Thank you for your precious help

  Lazlò

__________________________________________________________________
Introducing the New Netscape Internet Service.
Only $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "Re: [fw-wiz] AIX LPAR security"
• Next in thread: Martin Maèok: "Re: [fw-wiz] PIX dropping packets with source port 80"
• Reply: Martin Maèok: "Re: [fw-wiz] PIX dropping packets with source port 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: FTP Solution ... important thing to note is that WinInet FTP APIs do not work if Internet ... access is accomplished via CERN type proxy. ... WinInet API or add the "Proxy-Connection: ... Using FTP WinInet APIs in Visual Basic with SimpleFtp and how to enumerate ... (microsoft.public.vb.enterprise) Re: ISA Server Problems, please help ... Based on the rules you have listed, SecureNAT clients should only be allowed ... The All access rule for SBS Internet Users ... Web Proxy and/or Firewall Client ... > header to the publishing server instead of the actual one. ... (microsoft.public.windows.server.sbs) RE: restricting mobile users internet access ... You said you had your proxy setup as a transparent proxy, ... Connect to VPN ... restricting mobile users internet access ... access the ISPs site to activate the your internet access account. ... (Security-Basics) Re: Internet Connection Error ... Try comparing the proxy settings for Firefox compared to Internet Explorer ... (microsoft.public.windowsxp.security_admin) RE: Group Policy Connundrum - Stick with it, its confusing!!! ... Applied Group Policy Objects ... Small Business Server Internet Connection Firewall ... Secure Proxy Server: 0.0.0.0:80 ... Import the current Content Ratings Settings: ... (Security-Basics)