Cisco Systems How to avoid filtered status report - PIX.
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
How to avoid filtered status report - PIX. AM 06-20-05
Posted by AM on June 20, 2005, 6:05 pm
Please log in for more thread options
Hi all,

denying traffic to a particular port from external source (Internet) to internal
servers will be
seen a status filtered by programs like nmap.

I would traffic coming on a particular IP be redirected by rules. Is it
possible? I mean ports I
interested to must be effectively redirected to my server, all the other should
be redirected to a
virtual IP.
I would, moreover, select action to do based on packets' source. I have a PIX
running 6.3(4).
Perhaps it is possible on a router but not sure on PIX.

Thanks,
Alex.

Posted by Walter Roberson on June 20, 2005, 10:03 pm
Please log in for more thread options
:I have a PIX running 6.3(4).

:denying traffic to a particular port from external source (Internet) to
internal servers will be
:seen a status filtered by programs like nmap.

That is normal. nmap reports that because it does not get back a
TCP SYN ACK response, and also does not get back an ICMP time-exceeded
or ICMP network-unreachable or ICMP port-unreachable . nmap is,
in other words, detecting that the packets are being dropped somewhere
along the line.

There is a 'service' which tells the PIX to generate TCP RST instead
of just dropping the packets. That's usually not turned on because
it makes it easier for outsiders to map your network (and to detect
that it's a PIX protecting the network.)



:I would traffic coming on a particular IP be redirected by rules. Is it
possible? I mean ports I
:interested to must be effectively redirected to my server, all the other should
be redirected to a
:virtual IP.

That's not as easy to configure as one might prefer, in that static
without ports has higher priority than static with ports -- so one
cannot configure as "static through these particular ports, and
for everything else, fall back to the regular static that covers
all the ports."

I believe, though, that one might be able to configure it using
policy static; it might take a bit of fiddling to work.


:I would, moreover, select action to do based on packets' source.

That's the realm of policy static. Policy static is, though,
nearly the lowest priority: only regular nat is lower priority
(and possibly policy nat too.) To make things work out, one
might end up having to use a bunch of "range" specifiers.

--
  The rule of thumb for speed is:

  1. If it doesn't work then speed doesn't matter.  -- Christian Bau

Similar ThreadsPosted
How to avoid filtered status report - PIX. June 20, 2005, 6:05 pm
Cisco 876 - Filtered VPNs September 27, 2006, 11:40 am
how to avoid voip jitter September 25, 2008, 2:04 am
Avoid Password Recovery on Cisco 5300 October 6, 2005, 5:15 pm
How to avoid getting BGP routes while getting a router's routing table January 24, 2006, 10:39 am
Trying to avoid slow response time with ADSL when there is traffic January 18, 2006, 1:56 pm
How to get a report of VPN connections on a PIX July 25, 2007, 9:40 am
How to report bugs to Cisco October 25, 2009, 7:17 am
Unused switch port report for 1/3 months September 3, 2008, 10:42 am
Switch port consumption report and capacity planning. July 14, 2006, 1:45 pm
Cisco Custom Historical Report for Cisco Customer Response Applications January 17, 2006, 12:34 pm
Help with troubleshooting PPP status June 12, 2006, 10:24 pm
regarding autoneg and Rx and Tx status March 5, 2008, 6:35 pm
Status up Protocol up but can't ping!!! October 19, 2005, 10:00 am
inteface status question May 11, 2006, 3:24 pm
Latest PostsForumRSS
NEWS: Samsung takes on the Apple iPad with the 7 inch Galaxy... Wireless Networking
c3560 port configuration Cisco Systems
Broadband 2010: A Big Slowdown [telecom] General Telecommunications Forum
Control Hot Water Circ Pump With X10? General Home Automation
Official Course CCNP TSHOOT 642-832 / Foundation Learning Gu... Cisco Certification
Speedflow Communications Honored for Innovation Voice-Over-IP
USB _to_ RJ45 (not from) connection Ethernet LAN
FAQ: Maximizing cable modem or DSL speed Cable Modems
CASH FOR CISCO - I BUY USED AND NEW EQUIPMENT & LOTS MOR... Telecom Technical
FAQ: Maximizing cable modem or DSL speed Digital Subscriber Line
How to set up Meridian 1 to "provide clock" to a C... Nortel Networks
New Discovery about WDM LAN and Telecom Cabling
Control Hot Water Circ Pump With X10? Home Automation
Text file to automate restoring a dropped VPN connection. Virtual Private Networks
Home Theater Installation Home Theater
Re: The Turkic Languages in a Nutshell Fiber Optics
sip Video Conferencing
Residential Cabling Guide Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Click Here to learn more