[c-nsp] disable stateful firewall on PIX?
Jens
jens at chaos-co.de
Sat Apr 15 07:41:18 EDT 2006
Ahhh... i looked a little bit in the deep and found the following Statement:
"The ASA algorithm takes care of stateful inspection in PIX and it
cannot be disabled."
Jens
Joseph Jackson wrote:
>Would that work? How would the pix know that the connection IS
>established? I believe he is correct when he says it is failing but the
>pix isn't the device to transmit the initial SYN.
>
>
>
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>>Michael K. Smith
>>Sent: Thursday, April 13, 2006 2:24 PM
>>To: Adam Greene; cisco-nsp at puck.nether.net
>>Subject: Re: [c-nsp] disable stateful firewall on PIX?
>>
>>
>>
>>
>>On 4/13/06 12:47 PM, "Adam Greene" <maillist at webjogger.net> wrote:
>>
>>
>>
>>>Thanks Mike, and for the other replies I got offlist.
>>>
>>>The problem seems to be that the PIX is blocking the
>>>
>>>
>>inbound SYN/ACK
>>
>>
>>>on the handshake if it didn't transmit the initial SYN
>>>
>>>
>>outbound, even
>>
>>
>>>if I do a "permit ip any <netblock>".
>>>
>>>
>>>
>>I know it should be covered with 'permit ip any any' but that
>>sounds like a 'permit tcp any any established' hook.
>>
>>Mike
>>
>>_______________________________________________
>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list