[c-nsp] pix 6.1(3)
Aaron
aaron1 at gvtc.com
Thu Jul 11 14:20:59 EDT 2013
Thanks Nick...i'm working on migrating from the pix 515 to my dual asa
5520's.... in the meantime....
there are only a few websites that have a weird issue where I cannot get to
those websites....strangely, the "sh conn" in the pix, shows them in "A"
state....awaiting inside ack. A sniffer and ac's in the inner router shows
that my acks from the inside computer ARE being sent at the pix. Is there
something weird that you know about with this issue where only a few
websites are like this ? all other web traffic flows nicely through that
pix.
PIX1# sh conn local 10.10.10.207 foreign 63.245.217.105
1002 in use, 3794 most used
TCP out 63.245.217.105:80 in 10.10.10.207:51785 idle 0:00:06 Bytes 0 flags A
TCP out 63.245.217.105:80 in 10.10.10.207:51784 idle 0:00:29 Bytes 0 flags A
Aaron
-----Original Message-----
From: Nick Hilliard [mailto:nick at foobar.org]
Sent: Thursday, July 11, 2013 1:06 PM
To: Aaron
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] pix 6.1(3)
On 11/07/2013 15:51, Aaron wrote:
> Anyone ever dealt with a weird issue whereas when going to a certain
> website via a cisco pix, the tcp syn and syn/ack flow fine, but the
> final ack is lost inside the pix. ? my sniffs seems to show this.
um, could I humbly suggest an upgrade? 6.1 is prehistoric. 7.1 works
reasonably well on old kit - well so long as you don't want to do anything
with ipv6.
Nick
More information about the cisco-nsp
mailing list