[fw-wiz] Strange Pix behavior.

From: George J. Jahchan, Eng. (Firewall-Wizards_at_Compucenter.org)
Date: 06/07/05

  • Next message: R. DuFresne: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?" 
    To: "Firewall Wizards List" <firewall-wizards@honor.icsalabs.com>
Date: Tue, 7 Jun 2005 09:57:06 +0300

    We are using a pair of failover Pix 515s, and are consistently seeing denied
    return traffic that theoretically should have been allowed.

    Three zones are defined: LAN, DMZ and WAN and the policy is default deny. For
    the allowed outbound protocols like http, we are seeing (on weekdays) anywhere
    between 25,000 and 45,000 denials originating from web server addresses on the
    Internet port 80 to the NAT'ed IP address of LAN users. This is the return
    traffic in response to requests that originated from the LAN.

    Sample log entry follows:
    ... Deny tcp src outside:<www-server-IP>/80 dst LAN:<NAT-IP>/31997 by
    access-group "WAN"

    The corresponding rule in the LAN access-group is:
    access-list LAN permit tcp host X.X.X.X gt 1023 any eq www

    Not all traffic is blocked, only part of it, seemingly at random, otherwise no
    one would have been able to surf the web, which is not the case.

    We are also seeing denials generated by the return traffic of other allowed
    outbound protocols such as pop3, imap4, smtp and dns (udp); in numbers that seem
    to be proportional to the overall number of requests for each protocol.

    On week-ends when the traffic is very low, we are still seeing denials, in
    numbers proportional to overall requests.

    We have monitored CPU and memory utilization on the Pix, they are low (CPU < 10%
    and memory < 25%).

    The Cisco reseller has not come through with a credible explanation for this
    behavior or made suggestions on course of action for diagnosing the problem.

    Can anyone on this list help?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: R. DuFresne: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"

    Relevant Pages

    • Re: [fw-wiz] Strange Pix behavior.
      ... Of all the manufacturers that I've dealt with out there, Cisco is by far ... LAN, DMZ and WAN and the policy is default deny. ... > We are also seeing denials generated by the return traffic of other allowed ... > to be proportional to the overall number of requests for each protocol. ...
      (Firewall-Wizards)
    • Re: Server hat Schluckauf
      ... Es ist ein Intranet-Server, mit wenigen Requests pro ... den Netzwerkverkehr mitzuschneiden und zu ... Ist alles per normalem LAN an einem Standort verbunden? ...
      (de.comp.os.unix.linux.misc)
    • named - Is It Possible to Forward Requests for One Domain to Another Server?
      ... I have named running to resolve machines on my LAN. ... It is also configured to forward requests to my ISP for all other queries. ... On another machine in my LAN, I used mpd to create a vpn connection to my work and set appropriate routes so that any machine on my LAN can access any machine at my work over the vpn. ... Is there some way I can tell named to request DNS info for my work domain from my work's DNS server available over the vpn? ...
      (freebsd-questions)
    • Re: bittorrent proxy
      ... LAN that is always on and has a huge disk. ... requests from any user on my LAN and carry out the request for them. ... IP-forward to *all* the machines on my LAN, and taking turns gets to be ... With a proxy, I'd just have to IP-forward to the proxy (or ...
      (Debian-User)
    • Re: [fw-wiz] Strange Pix behavior.
      ... Reseller and Cisco TAC were not able to solve the case other than by answering: "upgrade to the latest version and try", ... LAN, DMZ and WAN and the policy is default deny. ... We are also seeing denials generated by the return traffic of other allowed ...
      (Firewall-Wizards)