[c-nsp] pix 6.1(3)

Ryan West rwest at zyedge.com
Thu Jul 11 18:36:56 EDT 2013


It's 6.3.5(145) that is the latest PIX release that will support all the flavors.  If you have a 515/515E, you can upgrade the memory and move to 8.0.4(28), which is the last interim release for the PIX family in ASA code.  If you have a 506E, it's probably time to look at a 5505-5 or 5505-50 for the environment.

6.1(3) is over 10 years old.  If you can't upgrade the memory, you could at least try the engineering special from 2008.

-ryan

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Malitsky
Sent: Thursday, July 11, 2013 5:40 PM
To: Aaron; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] pix 6.1(3)

Fixup is an application-layer proxy.  In other words, it checks for the validity of traffic in the context of the actual protocol.  In version 7 and newer these are called "inspect".  Without it, you are left with a regular stateful firewall.

Michael 

________________________________________
From: Aaron [aaron1 at gvtc.com]
Sent: Thursday, July 11, 2013 3:24 PM
To: Michael Malitsky; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] pix 6.1(3)

Thanks Michael, What does http fixup do ?  how would disabling fixup fix my issue ?

Aaron


-----Original Message-----
From: Michael Malitsky [mailto:malitsky at netabn.com]
Sent: Thursday, July 11, 2013 2:49 PM
To: aaron1 at gvtc.com; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] pix 6.1(3)

Sounds eerily familiar, although I can't find any notes for v6.  The first releases of 7 had a similar issue, caused by the firewall dropping any packets with MSS>negotiated size.
However, you options are very few.  Try disabling the http fixup to confirm it is the inspection engine causing the problem.  In version 6, there is no way to tune the inspection engines, on/off is the only button, so your only option is to upgrade.  I suggest trying 6.5.last (I think 6.5.105), if that doesn't work go to 7, the highest version that supports a PIX.  In v7 you can at least exempt the problem traffic from inspection.  Best option - upgrade to an ASA.

Michael

------------------------------

Date: Thu, 11 Jul 2013 09:51:16 -0500
From: "Aaron" <aaron1 at gvtc.com>
To: <cisco-nsp at puck.nether.net>
Subject: [c-nsp] pix 6.1(3)
Message-ID: <000001ce7e46$186efb20$494cf160$@gvtc.com>
Content-Type: text/plain;       charset="us-ascii"

Anyone ever dealt with a weird issue whereas when going to a certain website via a cisco pix, the tcp syn and syn/ack flow fine, but the final ack is lost inside the pix. ?  my sniffs seems to show this.



Aaron

=


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list