[c-nsp] Pix question

Jim McBurnett jim at tgasolutions.com
Tue Nov 2 20:42:45 EST 2004


Jeff,
It might be helpful to see the PIX configs.. 
(IP addresses and passwords removed of course)
First thought is the path.
	If the packet cannot be fragmented, that is very bad...
	1518 is the max packet size.
	then you get it fragmented for the IPSEC.
	and then if some ISP between the 2 paths, well then 
	it gets smaller..
	I have seen some networks cause the packet size, preencrypted,
	to be around 900 so that it will cross the VPN...

Second  -- ICMP being explicitly permited??IE
icmp permit any outside
icmp permit any inside

Third--- Syslog traps?
	Do you have any syslog traps?
	These may help...

Later,
J
-----Original Message-----
From: Jeff [mailto:listacct at genhex.net] 
Sent: Tuesday, November 02, 2004 4:30 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Pix question

Hi all,

I have what I hope is a simple pix related question.  I have a client
that is trying to do Microsoft group policies over a vpn connection that
is created using 2 pix devices.

The group policy relies on 2 icmp packets, the first a standard 32byte
icmp, the second a larger 2048 byte ping.  The first packet makes it,
the second gets dropped.

I have found on google that icmp size on the pix is limited due to ping
floods etc.  There is also one reference to the pix being able to allow
different size icmp packets.

I would like to know what command needs to added to allow an icmp packet
size of 3k to traverse the vpn.

Google and cisco have not been much help in finding this information.

My client is running 6.3.1 on one device and 6.3.3 on the other if that
plays a factor.

Thanks very much for you help.

Jeff.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list