[fw-wiz] Strange Pix behavior.
From: George J. Jahchan, Eng. (Firewall-Wizards_at_Compucenter.org)
To: "Firewall Wizards List" <firstname.lastname@example.org> Date: Tue, 7 Jun 2005 09:57:06 +0300
We are using a pair of failover Pix 515s, and are consistently seeing denied
return traffic that theoretically should have been allowed.
Three zones are defined: LAN, DMZ and WAN and the policy is default deny. For
the allowed outbound protocols like http, we are seeing (on weekdays) anywhere
between 25,000 and 45,000 denials originating from web server addresses on the
Internet port 80 to the NAT'ed IP address of LAN users. This is the return
traffic in response to requests that originated from the LAN.
Sample log entry follows:
... Deny tcp src outside:<www-server-IP>/80 dst LAN:<NAT-IP>/31997 by
The corresponding rule in the LAN access-group is:
access-list LAN permit tcp host X.X.X.X gt 1023 any eq www
Not all traffic is blocked, only part of it, seemingly at random, otherwise no
one would have been able to surf the web, which is not the case.
We are also seeing denials generated by the return traffic of other allowed
outbound protocols such as pop3, imap4, smtp and dns (udp); in numbers that seem
to be proportional to the overall number of requests for each protocol.
On week-ends when the traffic is very low, we are still seeing denials, in
numbers proportional to overall requests.
We have monitored CPU and memory utilization on the Pix, they are low (CPU < 10%
and memory < 25%).
The Cisco reseller has not come through with a credible explanation for this
behavior or made suggestions on course of action for diagnosing the problem.
Can anyone on this list help?
firewall-wizards mailing list