[c-nsp] pix 6.1(3)

Aaron aaron1 at gvtc.com
Thu Jul 11 16:25:26 EDT 2013

Thanks Chuck, 

Here's what I see with that "sysopt" thing you mentioned... let me know what
you suggest with my issue...

PIX1# show sysopt
no sysopt security fragguard
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
no sysopt connection permit-pptp
no sysopt connection permit-l2tp
sysopt ipsec pl-compatible
no sysopt route dnat

PIX1# conf t
PIX1(config)# sysopt ?
    [no] sysopt connection { permit-ipsec | permit-l2tp |
               permit-pptp | timewait | {tcpmss [minimum] <bytes>} }
    [no] sysopt ipsec pl-compatible
    [no] sysopt noproxyarp <if-name>
    [no] sysopt nodnsalias { inbound | outbound }
    [no] sysopt security fragguard
    [no] sysopt radius ignore-secret
    [no] sysopt uauth allow-http-cache
    [no] sysopt route dnat

-----Original Message-----
From: Chuck Church [mailto:chuckchurch at gmail.com] 
Sent: Thursday, July 11, 2013 3:13 PM
To: 'Nick Hilliard'; 'Aaron'
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] pix 6.1(3)

Just a guess, but maybe the Pix sequence number randomization is breaking
something.  I think you can turn it off, maybe a 'no sysopt something'
command?  There are later 6.3 images that might be usable as well, could be
a bug.


-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick
Sent: Thursday, July 11, 2013 3:17 PM
To: Aaron
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] pix 6.1(3)

On 11/07/2013 19:20, Aaron wrote:
> that my acks from the inside computer ARE being sent at the pix.  Is 
> there something weird that you know about with this issue where only a 
> few websites are like this ?  all other web traffic flows nicely 
> through that pix.

I haven't used 6.x since 7.0 was released and that was a very long time ago,
maybe 10 years.  I can barely remember what I had for lunch today, never
mind off-beat bugs from 10 years ago.  Seriously, upgrade /  throw in trash
/ donate to your nearest museum. :-)


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list