takefreestuff
MIS
Hi,
I'm running a PIX 515E, 6.1. I would like to run some port scans FROM a host on the inside against my server on the Internet. Unfortunately when the inside host starts a stealth scan - sending ACK packets instead of SYNs - the PIX blocks the outbound packets. Log entries look like this,
%PIX-6-106015: Deny TCP (no connection) from 192.168.200.101/20 to flags ACK on interface inside
I read that Cisco IOS supports a kind of access-list that filters on TCP flags, e.g. it is possible to allow packets with the ACK bit set even though there is no corresponding entry in the connection table. I think the command is 'match-all' or 'match-any'. However, it seems there is no equivalent command for the PIX OS (Finesse, right?). Hopefully I'm wrong...
Can anyone tell me if there is a command that will enable me to allow outbound packets for which there is no entry in the connection table?
I'm running a PIX 515E, 6.1. I would like to run some port scans FROM a host on the inside against my server on the Internet. Unfortunately when the inside host starts a stealth scan - sending ACK packets instead of SYNs - the PIX blocks the outbound packets. Log entries look like this,
%PIX-6-106015: Deny TCP (no connection) from 192.168.200.101/20 to flags ACK on interface inside
I read that Cisco IOS supports a kind of access-list that filters on TCP flags, e.g. it is possible to allow packets with the ACK bit set even though there is no corresponding entry in the connection table. I think the command is 'match-all' or 'match-any'. However, it seems there is no equivalent command for the PIX OS (Finesse, right?). Hopefully I'm wrong...
Can anyone tell me if there is a command that will enable me to allow outbound packets for which there is no entry in the connection table?