[c-nsp] pix 6.1(3)

Michael Malitsky malitsky at netabn.com
Thu Jul 11 17:39:59 EDT 2013

Fixup is an application-layer proxy.  In other words, it checks for the validity of traffic in the context of the actual protocol.  In version 7 and newer these are called "inspect".  Without it, you are left with a regular stateful firewall.


From: Aaron [aaron1 at gvtc.com]
Sent: Thursday, July 11, 2013 3:24 PM
To: Michael Malitsky; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] pix 6.1(3)

Thanks Michael, What does http fixup do ?  how would disabling fixup fix my
issue ?


-----Original Message-----
From: Michael Malitsky [mailto:malitsky at netabn.com]
Sent: Thursday, July 11, 2013 2:49 PM
To: aaron1 at gvtc.com; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] pix 6.1(3)

Sounds eerily familiar, although I can't find any notes for v6.  The first
releases of 7 had a similar issue, caused by the firewall dropping any
packets with MSS>negotiated size.
However, you options are very few.  Try disabling the http fixup to confirm
it is the inspection engine causing the problem.  In version 6, there is no
way to tune the inspection engines, on/off is the only button, so your only
option is to upgrade.  I suggest trying 6.5.last (I think 6.5.105), if that
doesn't work go to 7, the highest version that supports a PIX.  In v7 you
can at least exempt the problem traffic from inspection.  Best option -
upgrade to an ASA.



Date: Thu, 11 Jul 2013 09:51:16 -0500
From: "Aaron" <aaron1 at gvtc.com>
To: <cisco-nsp at puck.nether.net>
Subject: [c-nsp] pix 6.1(3)
Message-ID: <000001ce7e46$186efb20$494cf160$@gvtc.com>
Content-Type: text/plain;       charset="us-ascii"

Anyone ever dealt with a weird issue whereas when going to a certain website
via a cisco pix, the tcp syn and syn/ack flow fine, but the final ack is
lost inside the pix. ?  my sniffs seems to show this.



More information about the cisco-nsp mailing list